In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

* the application uses Spring MVC or Spring WebFlux
* `org.springframework.boot:spring-boot-actuator` is on the classpath

Affected Packages

Maven org.springframework.boot:spring-boot-actuator

Affected versions: 0 (fixed in 2.7.18)

Maven org.springframework.boot:spring-boot-actuator

Affected versions: 3.0.0 (fixed in 3.0.13)

Maven org.springframework.boot:spring-boot-actuator

Affected versions: 3.1.0 (fixed in 3.1.6)

Related CVEs

CVE-2023-34055

Key Information

GHSA ID

GHSA-jjfh-589g-3hjx

Published

November 28, 2023 9:30 AM

Last Modified

February 13, 2025 7:20 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.springframework.boot:spring-boot-actuator

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 29, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.