CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-22233: CVE-2024-22233: Spring Framework server Web DoS Vulnerability

7.5 CVSS

Description

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

* the application uses Spring MVC
* Spring Security 6.1.6+ or 6.2.1+ is on the classpath

Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions.

Classification

CVE ID: CVE-2024-22233

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor: Spring

Product: Spring Framework

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.16% (probability of being exploited)

EPSS Percentile: 54.0% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://spring.io/security/cve-2024-22233/
https://security.netapp.com/advisory/ntap-20240614-0005/

Timeline

2025-02-14 00:31:30 UTC
CVE

CVE-2024-22233: Spring Framework server Web DoS Vulnerability