Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Affected Packages

Maven org.springframework:spring-core

Affected versions: 5.0.0.RELEASE (fixed in 5.0.7.RELEASE)

Maven org.springframework:spring-core

Affected versions: 4.3.0.RELEASE (fixed in 4.3.18.RELEASE)

Related CVEs

CVE-2018-11040

Key Information

GHSA ID

GHSA-f26x-pr96-vw86

Published

October 16, 2018 5:43 PM

Last Modified

May 15, 2024 6:25 AM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.springframework:spring-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 7, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.