Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Affected Packages

Maven org.springframework:spring-core

Affected versions: 5.0.0 (fixed in 5.0.6)

Maven org.springframework:spring-core

Affected versions: 0 (fixed in 4.3.17)

Related CVEs

CVE-2018-1257

Key Information

GHSA ID

GHSA-rcpf-vj53-7h2m

Published

October 17, 2018 8:02 PM

Last Modified

March 6, 2024 8:59 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.springframework:spring-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 5, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.