spring-boot-starter-web-3.3.5.jar: 17 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - spring-boot-starter-web-3.3.5.jar

Path to dependency file: /pom.xml

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (spring-boot-starter-web version)	Remediation Possible**
CVE-2025-31651	Critical	9.8	tomcat-embed-core-10.1.31.jar	Transitive	3.3.11	❌
CVE-2025-24813	Critical	9.8	tomcat-embed-core-10.1.31.jar	Transitive	3.3.9	❌
CVE-2024-56337	Critical	9.8	tomcat-embed-core-10.1.31.jar	Transitive	3.3.7	❌
CVE-2024-50379	Critical	9.8	tomcat-embed-core-10.1.31.jar	Transitive	3.3.7	❌
CVE-2025-48989	High	7.5	tomcat-embed-core-10.1.31.jar	Transitive	3.4.9	❌
CVE-2025-48988	High	7.5	tomcat-embed-core-10.1.31.jar	Transitive	3.3.13	❌
CVE-2025-48976	High	7.5	tomcat-embed-core-10.1.31.jar	Transitive	3.3.13	❌
CVE-2025-41249	High	7.5	spring-core-6.1.14.jar	Transitive	N/A*	❌
CVE-2025-31650	High	7.5	tomcat-embed-core-10.1.31.jar	Transitive	N/A*	❌
CVE-2025-11226	Medium	6.9	logback-core-1.5.11.jar	Transitive	N/A*	❌
CVE-2024-12798	Medium	6.6	detected in multiple dependencies	Transitive	3.3.8	✅
CVE-2025-55668	Medium	6.5	tomcat-embed-core-10.1.31.jar	Transitive	3.3.13	❌
CVE-2025-49125	Medium	6.5	tomcat-embed-core-10.1.31.jar	Transitive	3.3.13	❌
CVE-2025-46701	Medium	6.5	tomcat-embed-core-10.1.31.jar	Transitive	N/A*	❌
CVE-2025-41242	Medium	5.9	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2024-12801	Medium	4.4	logback-core-1.5.11.jar	Transitive	3.3.8	✅
CVE-2025-22233	Low	3.1	spring-context-6.1.14.jar	Transitive	3.3.12	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-31651

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-tomcat-3.3.5.jar
    • ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
Users are recommended to upgrade to versions 9.0.104, 10.1.40 or 11.0.6, which fix the issue.

Publish Date: 2025-04-28

URL: CVE-2025-31651

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2025/04/28/3

Release Date: 2025-04-28

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.40

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.11

CVE-2025-24813

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-tomcat-3.3.5.jar
    • ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)

• support for partial PUT (enabled by default)
• a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
  - attacker knowledge of the names of security sensitive files being uploaded
  - the security sensitive files also being uploaded via partial PUT
  If all of the following were true, a malicious user was able to perform remote code execution:
• writes enabled for the default servlet (disabled by default)
  - support for partial PUT (enabled by default)
  - application was using Tomcat's file based session persistence with the default storage location
  - application included a library that may be leveraged in a deserialization attack
  Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
  Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-03-10

URL: CVE-2025-24813

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-03-10

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.35

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.9

CVE-2024-56337

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-tomcat-3.3.5.jar
    • ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation
parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:

• running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
• running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
• running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)
  Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
  Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-12-20

URL: CVE-2024-56337

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2024-12-20

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.7

CVE-2024-50379

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-tomcat-3.3.5.jar
    • ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. The fix for CVE-2024-50379 was found to be incomplete - users should refer to the follow-up CVE-2024-56337 which fully addresses the issue.

Publish Date: 2024-12-17

URL: CVE-2024-50379

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2024-12-17

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.7

CVE-2025-48989

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-tomcat-3.3.5.jar
    • ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.
Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

Publish Date: 2025-08-13

URL: CVE-2025-48989

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-08-13

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.44

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.4.9

CVE-2025-48988

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-tomcat-3.3.5.jar
    • ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-16

URL: CVE-2025-48988

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-06-16

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.42

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.13

CVE-2025-48976

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-tomcat-3.3.5.jar
    • ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. This limit is now configurable (maxPartHeaderSize on the Connector) with a default of 512 bytes.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-16

URL: CVE-2025-48976

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12

Release Date: 2025-06-16

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.42

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.13

CVE-2025-41249

Vulnerable Library - spring-core-6.1.14.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-web-6.1.14.jar
    • ❌ spring-core-6.1.14.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-09-16

URL: CVE-2025-41249

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2025-41249

Release Date: 2025-09-14

Fix Resolution: org.springframework:spring-core:6.2.11

CVE-2025-31650

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-tomcat-3.3.5.jar
    • ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.
This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.
Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

Publish Date: 2025-04-28

URL: CVE-2025-31650

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826

Release Date: 2025-04-28

Fix Resolution: org.apache.tomcat:tomcat-coyote:10.0.40

CVE-2025-11226

Vulnerable Library - logback-core-1.5.11.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.11/727bdb8dc75b6c392f9be56224503948abc248e8/logback-core-1.5.11.jar

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-3.3.5.jar
    • spring-boot-starter-logging-3.3.5.jar
      • logback-classic-1.5.11.jar
        • ❌ logback-core-1.5.11.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must  have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.

Publish Date: 2025-10-01

URL: CVE-2025-11226

CVSS 3 Score Details (6.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-10-01

Fix Resolution: https://github.com/qos-ch/logback.git - v_1.5.19

CVE-2024-12798

Vulnerable Libraries - logback-core-1.5.11.jar, logback-classic-1.5.11.jar

logback-core-1.5.11.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.11/727bdb8dc75b6c392f9be56224503948abc248e8/logback-core-1.5.11.jar

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-3.3.5.jar
    • spring-boot-starter-logging-3.3.5.jar
      • logback-classic-1.5.11.jar
        • ❌ logback-core-1.5.11.jar (Vulnerable Library)

logback-classic-1.5.11.jar

logback-classic module

Library home page: http://logback.qos.ch

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-3.3.5.jar
    • spring-boot-starter-logging-3.3.5.jar
      • ❌ logback-classic-1.5.11.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-12-19

URL: CVE-2024-12798

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pr98-23f8-jwxv

Release Date: 2024-12-19

Fix Resolution (ch.qos.logback:logback-core): 1.5.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.8

Fix Resolution (ch.qos.logback:logback-classic): 1.5.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.8

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-55668

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-tomcat-3.3.5.jar
    • ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Session Fixation vulnerability in Apache Tomcat via rewrite valve.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Older, EOL versions may also be affected.

Publish Date: 2025-08-13

URL: CVE-2025-55668

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-08-12

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.42

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.13

CVE-2025-49125

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-tomcat-3.3.5.jar
    • ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-16

URL: CVE-2025-49125

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-06-16

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.42

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.13

CVE-2025-46701

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-tomcat-3.3.5.jar
    • ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104.
Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-05-29

URL: CVE-2025-46701

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j

Release Date: 2025-05-29

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:10.1.41

CVE-2025-41242

Vulnerable Libraries - spring-webmvc-6.1.14.jar, spring-beans-6.1.14.jar

spring-webmvc-6.1.14.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • ❌ spring-webmvc-6.1.14.jar (Vulnerable Library)

spring-beans-6.1.14.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-web-6.1.14.jar
    • ❌ spring-beans-6.1.14.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:

• the application is deployed as a WAR or with an embedded Servlet container
• the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization
• the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with Spring resource handling
  We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.

Publish Date: 2025-08-18

URL: CVE-2025-41242

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2025-41242

Release Date: 2025-08-18

Fix Resolution: org.springframework:spring-beans:6.2.10

CVE-2024-12801

Vulnerable Library - logback-core-1.5.11.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.11/727bdb8dc75b6c392f9be56224503948abc248e8/logback-core-1.5.11.jar

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-boot-starter-3.3.5.jar
    • spring-boot-starter-logging-3.3.5.jar
      • logback-classic-1.5.11.jar
        • ❌ logback-core-1.5.11.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12  on the Java platform, allows an attacker to
forge requests by compromising logback configuration files in XML.
The attacks involves the modification of DOCTYPE declaration in  XML configuration files.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-12-19

URL: CVE-2024-12801

CVSS 3 Score Details (4.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6v67-2wr5-gvf4

Release Date: 2024-12-19

Fix Resolution (ch.qos.logback:logback-core): 1.5.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.8

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-22233

Vulnerable Library - spring-context-6.1.14.jar

Spring Context

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/6.1.14/b3d96fb4310376a608465c3544b7cfb790293787/spring-context-6.1.14.jar

Dependency Hierarchy:

• spring-boot-starter-web-3.3.5.jar (Root Library)
  • spring-webmvc-6.1.14.jar
    • ❌ spring-context-6.1.14.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:

• 6.2.0 - 6.2.6
• 6.1.0 - 6.1.19
• 6.0.0 - 6.0.27
• 5.3.0 - 5.3.42
• Older, unsupported versions are also affected
  Mitigation
  Users of affected versions should upgrade to the corresponding fixed version.
  Affected version(s)Fix Version Availability 6.2.x
  6.2.7
  OSS6.1.x
  6.1.20
  OSS6.0.x
  6.0.28
  Commercial https://enterprise.spring.io/ 5.3.x
  5.3.43
  Commercial https://enterprise.spring.io/
  No further mitigation steps are necessary.
  Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
  For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
  Credit
  This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.

Publish Date: 2025-05-16

URL: CVE-2025-22233

CVSS 3 Score Details (3.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2025-22233

Release Date: 2025-05-16

Fix Resolution (org.springframework:spring-context): 6.1.20

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.12

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.