Vulnerability Directory | CVE-2026-22735 | Spring

Overview

Spring Framework is an open-source application framework for the Java platform that provides comprehensive infrastructure support for developing enterprise-level Java applications. It offers features including dependency injection, web frameworks (Spring MVC and WebFlux), data access, messaging, and more.

A low-severity vulnerability (CVE-2026-22735) has been identified in Spring Framework. The Server-Sent Events (SSE) implementations in both Spring MVC (SseEmitter) and Spring WebFlux (ServerSentEvent) do not properly validate id and event field values for the presence of newline characters. An attacker who controls data that is streamed to other users can inject newline characters to corrupt the SSE event stream. Depending on frontend logic, this could corrupt application state or present malicious information to connected clients.

Per OWASP: Injection is an attacker's attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter. In the context of SSE, the protocol uses newline characters as field delimiters. By injecting newline characters into fields that are not properly sanitized, an attacker can terminate the current event prematurely, inject additional SSE fields, or start entirely new events that clients will process as legitimate server messages.

This issue affects multiple versions of Spring Framework.

‍

Details

Module Info

Product: Spring Framework
Affected packages: spring-web, spring-webmvc
Affected versions: >=4.3.0 <=4.3.30, >=5.3.0 <=5.3.46, >=6.1.0 <=6.1.25, >=6.2.0 <=6.2.16, >=7.0.0 <=7.0.5
GitHub repository: https://github.com/spring-projects/spring-framework
Published packages: https://repo1.maven.org/maven2/org/springframework/
Package manager: Maven
Fixed in:
- Spring Framework 7.0.6, 6.2.17 (OSS)
- NES for Spring

‍

Vulnerability Info

This low-severity vulnerability is found in the spring-web and spring-webmvc modules of Spring Framework across all listed affected versions.

In the Server-Sent Events (SSE) protocol, fields such as id, event, data, and comment are delimited by newline characters. The SSE specification requires that id and event field values must not contain newline characters (\n, \r, or \r\n), as these characters serve as field delimiters in the protocol.

Prior to the fix, the Spring Framework SSE implementations, SseEmitter in Spring MVC and ServerSentEvent/ServerSentEventHttpMessageWriter in Spring WebFlux, did not validate id or event values for the presence of newline characters. If an application passed user-controlled data into these fields, an attacker could inject newline characters to:

Prematurely terminate the current SSE field and inject additional fields
Inject entirely new SSE events into the stream
Corrupt the data stream received by other connected clients

For example, if an attacker controls the SSE event id value and sets it to "valid\ndata:malicious", the resulting SSE output would be:

id:valid
data:malicious

‍

This would cause the SSE client to interpret malicious as part of the event data, effectively injecting content into the stream.

Additionally, both SSE implementations handled multi-line comment events inconsistently, and the multi-line data handling did not properly account for \r or \r\n line endings. The previous implementation used a simple StringUtils.replace(text, "\n", "\ndata:") call that only handled \n characters.

Note: All four of the following conditions must be true for exploitation:

The application uses Spring MVC or Spring WebFlux.
The application sends streaming data to clients using SSE.
The attacker has control over data that will be streamed to other users.
The application uses plain text messages rather than a structured message format like JSON.

‍

Mitigation

Only recent versions of Spring Framework receive community support and updates. Older versions have no publicly available fixes for this vulnerability.

Users of the affected components should apply one of the following mitigations: