High severityNVD Advisory· Published Mar 16, 2024· Updated Feb 13, 2025
CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report)
CVE-2024-22259
Description
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-webMaven | >= 6.1.0, < 6.1.5 | 6.1.5 |
org.springframework:spring-webMaven | >= 6.0.0, < 6.0.18 | 6.0.18 |
org.springframework:spring-webMaven | < 5.3.33 | 5.3.33 |
Affected products
12- osv-coords11 versionspkg:apk/chainguard/jenkinspkg:apk/chainguard/jenkins-2.440pkg:apk/chainguard/jenkins-compatpkg:apk/chainguard/jenkins-remotingpkg:apk/chainguard/kayenta-2025.4pkg:apk/chainguard/kayenta-2026.0pkg:apk/chainguard/kayenta-fips-2025.4pkg:apk/wolfi/jenkinspkg:apk/wolfi/jenkins-compatpkg:apk/wolfi/jenkins-remotingpkg:maven/org.springframework/spring-web
< 2.450-r0+ 10 more
- (no CPE)range: < 2.450-r0
- (no CPE)range: < 2.440.3-r0
- (no CPE)range: < 2.450-r0
- (no CPE)range: < 2.450-r0
- (no CPE)range: < 2025.4.3-r6
- (no CPE)range: < 2026.0.2-r6
- (no CPE)range: < 2025.4.3-r7
- (no CPE)range: < 2.450-r0
- (no CPE)range: < 2.450-r0
- (no CPE)range: < 2.450-r0
- (no CPE)range: >= 6.1.0, < 6.1.5
- Range: 6.1.x
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-hgjh-9rj2-g67jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-22259ghsaADVISORY
- github.com/spring-projects/spring-framework/commit/297cbae2990e1413537c55845a7e0ea0ffd9f9bbghsaWEB
- github.com/spring-projects/spring-framework/commit/381f790329a48b74c2a49fc1384dd68ca9153501ghsaWEB
- github.com/spring-projects/spring-framework/commit/f2fd2f12269c6a781c5b2c20b3c24141055a3d68ghsaWEB
- security.netapp.com/advisory/ntap-20240524-0002ghsaWEB
- spring.io/security/cve-2024-22259ghsaWEB
- security.netapp.com/advisory/ntap-20240524-0002/mitre
News mentions
0No linked articles in our index yet.