Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.

Affected Packages

Maven org.springframework:spring-web

Affected versions: 6.1.0 (fixed in 6.1.4)

Maven org.springframework:spring-web

Affected versions: 6.0.0 (fixed in 6.0.17)

Maven org.springframework:spring-web

Affected versions: 5.3.0 (fixed in 5.3.32)

Maven org.springframework:spring-web

Affected versions: 0 (last affected: 5.2.25.RELEASE)

Related CVEs

CVE-2024-22243

Key Information

GHSA ID

GHSA-ccgv-vj62-xf9h

Published

February 23, 2024 6:30 AM

Last Modified

February 13, 2025 7:12 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.springframework:spring-web

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.