CVE-2026-40999

Vulnerability

Spring Web Services versions 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8 are vulnerable to a server-side request forgery (SSRF) when WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses. The AbstractAddressingEndpointMapping class, when combined with configured WebServiceMessageSender instances for out-of-band replies, will initiate outbound connections to destinations taken directly from incoming request headers without verifying their safety [1].

Exploitation

An attacker must be able to send a request to a vulnerable endpoint that accepts WS-Addressing headers from untrusted callers. The attacker supplies a crafted wsa:ReplyTo or wsa:FaultTo header pointing to an internal host, cloud metadata endpoint (e.g., http://169.254.169.254), or other sensitive destination. The server then uses a configured WebServiceMessageSender (e.g., HttpUrlConnectionMessageSender, JmsMessageSender) to connect to that address. No authentication or special privileges are required beyond network access to the vulnerable service [1].

Impact

Successful exploitation allows an attacker to make the server initiate outbound connections to internal-only systems or cloud metadata services, potentially leaking sensitive information, accessing internal services, or pivoting deeper into the network. This is a classic SSRF that can lead to information disclosure and further compromise of the infrastructure [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed version: 5.0.2, 4.1.4, 4.0.19 (Enterprise Support), or 3.1.9 (Enterprise Support). If upgrading is not possible, restrict destinations accepted by each WebServiceMessageSender by overriding its supports(URI) method to allowlist only known-safe destinations. For example, a custom JmsMessageSender can check the destination name against a whitelist. The same pattern applies to other sender types [1].