Platform
java
Component
org.springframework:spring-webflux
Fixed in
5.3.1
6.1.14
CVE-2024-38819 describes a Path Traversal vulnerability affecting Spring Webflux. This flaw allows attackers to potentially access sensitive files on the server's filesystem by crafting malicious HTTP requests. The vulnerability impacts versions of Spring Webflux up to and including 6.1.9. A fix is available in version 6.1.14.
The core of this vulnerability lies in how Spring Webflux handles static resource requests through its functional web frameworks, WebMvc.fn and WebFlux.fn. An attacker can exploit this by manipulating the request path to bypass intended access controls. This allows them to read arbitrary files accessible to the Spring application's process, potentially including configuration files, source code, or even sensitive data like database credentials. The blast radius is significant, as successful exploitation could lead to complete compromise of the server and its data. While no direct precedent is immediately obvious, the underlying mechanism shares similarities with other path traversal vulnerabilities where improper input validation allows access to unauthorized resources.
CVE-2024-38819 was publicly disclosed on December 19, 2024. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and the widespread use of Spring Webflux. Monitor security advisories and vulnerability databases for updates.
Exploit Status
EPSS
74.50% (99% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to Spring Webflux version 6.1.14 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with rules to filter out malicious path traversal attempts. Specifically, look for patterns involving directory traversal sequences like ../ or encoded equivalents. Additionally, review your application's static resource configuration to ensure that access controls are properly enforced and that only authorized files are served. After upgrading, verify the fix by attempting to access a file outside the intended static resource directory using a crafted HTTP request; the request should be denied.
Update to the version of the Spring Framework that fixes this vulnerability. Refer to the Spring security advisory for details on affected versions and fixed versions. Consider applying the mitigations recommended by Spring if updating is not immediately possible.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-38819 is a Path Traversal vulnerability affecting Spring Webflux versions up to 6.1.9, allowing attackers to access files on the server's filesystem.
You are affected if you are using Spring Webflux versions 6.1.9 or earlier and serve static resources using WebMvc.fn or WebFlux.fn.
Upgrade to Spring Webflux version 6.1.14 or later. Implement WAF rules to filter malicious path traversal attempts as a temporary workaround.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to be targeted soon.
Refer to the Spring Security Vulnerability Updates page for the latest information: https://security.spring.io/.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.