Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients.

Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant.

An application is not vulnerable when a Public Client uses PKCE for the Authorization Code Grant.

Affected Packages

Maven org.springframework.security:spring-security-oauth2-authorization-server

Affected versions: 0 (fixed in 1.1.6)

Maven org.springframework.security:spring-security-oauth2-authorization-server

Affected versions: 1.2.0 (fixed in 1.2.3)

Related CVEs

CVE-2024-22258

Key Information

GHSA ID

GHSA-x637-x8p3-5p22

Published

March 20, 2024 3:32 PM

Last Modified

December 5, 2024 10:17 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.springframework.security:spring-security-oauth2-authorization-server

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 20, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.