View all Vulnerabilities

CVE-2023-34036

Improper Input Validation (4.16)
Affects
spring-hateoas
in
Spring
No items found.
Versions
< 1.5.5 2.0.x < 2.0.5 2.1.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle (and possibly discard) forwarded headers either in WebFlux or at the level of the underlying HTTP server.

For the application to be affected, it needs to satisfy the following requirements:

  • It needs to use the reactive web stack (Spring WebFlux) and Spring HATEOAS to create links in hypermedia-based responses.
  • The application infrastructure does not guard against clients submitting (X-)Forwarded… headers.

Details

Module Info

  • Product: spring-hateoas
  • Affected packages: spring-hateoas
  • Affected versions: 1.3.7
  • GitHub repository: https://github.com/spring-projects/spring-hateoas/
  • Published packages: https://central.sonatype.com/artifact/org.springframework.hateoas/spring-hateoas
  • Package manager: Maven
  • Fixed In: NES for Spring v1.3.8

Vulnerability Info

Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle (and possibly discard) forwarded headers either in WebFlux or at the level of the underlying HTTP server.

For the application to be affected, it needs to satisfy the following requirements:

  • It needs to use the reactive web stack (Spring WebFlux) and Spring HATEOAS to create links in hypermedia-based responses.
  • The application infrastructure does not guard against clients submitting (X-)Forwarded… headers.

Mitigation

  • Upgrade Spring HATEOAS to versions 1.5.5, 2.0.5, 2.1.1 (or newer) to ensure that Forwarded headers are no longer processed by default in reactive applications.
  • Configure a Trusted Proxy to strip or override incoming X-Forwarded-* and Forwarded headers from untrusted clients before they reach the application.
  • Manually disable Forwarded Header support at the server level (e.g., Netty or Tomcat) if hypermedia links do not require preservation of the client's original protocol or host.

Steps To Reproduce

  1. Deploy a Spring WebFlux application using an affected version of Spring HATEOAS (e.g., < 1.5.5 or 2.0.x < 2.0.5).
  2. Expose a Reactive Hypermedia endpoint that generates links (e.g., using WebFluxLinkBuilder) and ensure no "Forwarded Header Filter" is manually configured to strip untrusted input.
  3. Submit an HTTP request to the endpoint including a malicious header, such as Forwarded: host=malicious.com;proto=https or X-Forwarded-Host: malicious.com.
  4. Observe the response body, specifically the _links or links section, to see if the generated URLs point to the attacker-controlled domain (malicious.com) instead of the actual server host.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2023-34036
PROJECT Affected
spring-hateoas
Versions Affected
< 1.5.5 2.0.x < 2.0.5 2.1.0
NES Versions Affected
Published date
July 17, 2023
≈ Fix date
February 6, 2026
Fixed in
NES for Spring
Category
Improper Input Validation (4.16)
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.