spring-boot-devtools-3.3.5.jar: 3 vulnerabilities (highest severity is: 7.5) #23
Description
Vulnerable Library - spring-boot-devtools-3.3.5.jar
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (spring-boot-devtools version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-41249 |  High |
7.5 | spring-core-6.1.14.jar | Transitive | N/A* | ❌ |
| CVE-2025-22235 | High |
7.3 | spring-boot-3.3.5.jar | Transitive | N/A* | ❌ |
| CVE-2025-22233 |  Low |
3.1 | spring-context-6.1.14.jar | Transitive | 3.3.12 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-41249
Vulnerable Library - spring-core-6.1.14.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Dependency Hierarchy:
- spring-boot-devtools-3.3.5.jar (Root Library)
- spring-boot-3.3.5.jar
- ❌ spring-core-6.1.14.jar (Vulnerable Library)
- spring-boot-3.3.5.jar
Found in base branch: main
Vulnerability Details
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-16
URL: CVE-2025-41249
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41249
Release Date: 2025-09-14
Fix Resolution: org.springframework:spring-core:6.2.11
CVE-2025-22235
Vulnerable Library - spring-boot-3.3.5.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Dependency Hierarchy:
- spring-boot-devtools-3.3.5.jar (Root Library)
- ❌ spring-boot-3.3.5.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In Spring Boot, the EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Publish Date: 2025-04-28
URL: CVE-2025-22235
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-22235
Release Date: 2025-04-24
Fix Resolution: org.springframework.boot:spring-boot-actuator-autoconfigure:3.3.11
CVE-2025-22233
Vulnerable Library - spring-context-6.1.14.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/6.1.14/b3d96fb4310376a608465c3544b7cfb790293787/spring-context-6.1.14.jar
Dependency Hierarchy:
- spring-boot-devtools-3.3.5.jar (Root Library)
- spring-boot-3.3.5.jar
- ❌ spring-context-6.1.14.jar (Vulnerable Library)
- spring-boot-3.3.5.jar
Found in base branch: main
Vulnerability Details
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:
- 6.2.0 - 6.2.6
- 6.1.0 - 6.1.19
- 6.0.0 - 6.0.27
- 5.3.0 - 5.3.42
- Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix Version Availability 6.2.x
6.2.7
OSS6.1.x
6.1.20
OSS6.0.x
6.0.28
Commercial https://enterprise.spring.io/ 5.3.x
5.3.43
Commercial https://enterprise.spring.io/
No further mitigation steps are necessary.
Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
Credit
This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.
Publish Date: 2025-05-16
URL: CVE-2025-22233
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-22233
Release Date: 2025-05-16
Fix Resolution (org.springframework:spring-context): 6.1.20
Direct dependency fix Resolution (org.springframework.boot:spring-boot-devtools): 3.3.12
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.