By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2025-22233

Authorization Bypass

Affects

Spring Framework

>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.42, >=6.0.0 <=6.0.27, >=6.1.0 <6.1.20, >=6.2.0 <6.2.7

Spring

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.

‍

An improper case sensitive match vulnerability (CVE-2025-22233) has been identified in Spring Framework, which could potentially result in fields not being protected as expected.

‍

This issue affects multiple versions of Spring Framework.

‍

Details

Module Info

Product: Spring Framework
Affected packages: spring-context
Affected versions: >=4.3.0 <=4.3.30, >=5.3.0 <=5.3.42, >=6.0.0 <=6.0.27, >=6.1.0 <6.1.20, >=6.2.0 <6.2.7
GitHub repository: https://github.com/spring-projects/spring-framework

Published packages: https://central.sonatype.com/artifact/org.springframework/spring-context

Package manager: Maven
Fixed in: NES for Spring Framework v4.3.34 and v5.3.46

‍

Vulnerability Info

The fix for CVE-2024-38820 addressed Java’s toLowerCase method uses the JVM’s default locale, which may cause fields to not be protected as expected, depending on the field and the JVM’s default locale. This didn’t address all cases where it is possible to bypass disalowedFields checks.

‍

Steps To Reproduce

The following test in DataBinderTests demonstrates the potential weakness. It shows a scenario where the bean is using a unicode character in the name and disalowed fields using the uppercase of that field, resulting in the test failing. With the applied patch, the same test will pass.

public static class SimpleTestBean {
	private boolean jedı;

	public boolean isJedı() {
		return this.jedı;
	}

	public void setJedı(boolean jedı) {
		this.jedı = jedı;
	}
}

@Test
void setDisallowedFields_CVE_2025_22233() throws BindException {
	SimpleTestBean rod = new SimpleTestBean();
	DataBinder binder = new DataBinder(rod);
	binder.setDisallowedFields("JEDI");

	MutablePropertyValues pvs = new MutablePropertyValues();
	pvs.add("jedı", true);

	binder.bind(pvs);
	binder.close();

	assertThat(binder.getBindingResult().getSuppressedFields())
			.containsExactlyInAnyOrder("jedı");
}

‍

Credit

TERASOLUNA Framework Development Team from NTT DATA Group Corporation

Mitigation

Only recent versions of Spring Framework are community-supported. Only the recent community support version will receive updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations:

Upgrade affected applications to supported versions of Spring Framework
Leverage a commercial support partner like HeroDevs for post-EOL security support.

‍