By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2022-31679

Information Exposure
Affects
Spring Data REST
in
Spring
No items found.
Versions
>=3.5.0 <=3.5.12, >= 3.6.0 < 3.6.7, >= 3.7.0, < 3.7.3
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Data REST automatically exposes Spring Data repositories as RESTful endpoints, providing HATEOAS driven HTTP resources over JPA entities with minimal boilerplate.

A vulnerability (CVE-2022-31679) exists in Spring Data REST's handling of JSON Patch requests (application/json-patch+json). The framework fails to enforce Jackson serialization annotations when applying patch operations to domain objects. This is an instance of Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915), where an attacker exploits insufficient validation of user-supplied input to override variables that should be protected.

In this case, entity fields hidden by @JsonIgnore or @JsonIgnoreProperties can still be modified via carefully crafted JSON Patch requests. An attacker understanding the domain model can write to sensitive properties like passwords or PII that were intentionally hidden from the REST interface.

This issue spans multiple release trains of the spring-data-rest-webmvc and spring-data-rest-core packages.

Details

Module Info

Vulnerability Info

This vulnerability affects applications using Spring Data REST that allow HTTP PATCH operations on repository resources. The problem is that the JSON Patch processor modifies domain objects directly, ignoring Jackson's annotation based visibility rules.

Exploitation is possible when:

  • The application exposes JPA entities via Spring Data REST.
  • Entity fields are marked non-serializable with @JsonIgnore or @JsonIgnoreProperties.
  • The application accepts application/json-patch+json HTTP PATCH requests.
  • The attacker knows the entity's field names.

An attacker can send a JSON Patch replace operation targeting a protected field. Since the patch processor bypasses Jackson's controls, the hidden field is modified in the data store, even though standard REST serialization would exclude it.

While rated Low severity (CVSS 3.7) due to confidentiality impact, the practical risk is higher if hidden fields contain credentials, as the flaw in the affected code also permits unauthorized writes.

Mitigation

Only recent versions of Spring Data REST receive community security patches. Older release trains (such as the 3.5.x line used with Spring Boot 2.5.x) have no publicly available fix. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to community-supported versions of Spring Data REST

If HTTP PATCH support is not required for your application, disable it as a workaround. Spring Data REST allows you to restrict which HTTP methods are exposed either globally or per-repository. You can disable PATCH for all resources using the ExposureConfiguration API:

@Configuration
public class RestConfig implements RepositoryRestConfigurer {
  @Override
  public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config, CorsRegistry cors) {
    ExposureConfiguration exposureConfig = config.getExposureConfiguration();

    exposureConfig.withItemExposure((metadata, httpMethods) -> httpMethods.disable(HttpMethod.PATCH));
  }
}

See the Spring Data REST reference documentation for full details on customizing HTTP method exposure.

Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2022-31679
PROJECT Affected
Spring Data REST
Versions Affected
>=3.5.0 <=3.5.12, >= 3.6.0 < 3.6.7, >= 3.7.0, < 3.7.3
NES Versions Affected
Published date
March 24, 2026
≈ Fix date
March 11, 2026
Fixed in
NES for Spring
Category
Information Exposure
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.