Spring MVC Controller Methods Vulnerable to DoS Attack
CVE-2024-38828

5.3MEDIUM

Key Information:

Vendor: Spring
Status: Spring
Vendor: CVE Published:; 18 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.

Affected Version(s)

Spring 5.3.x

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

sprig-mvc-demo-patch
Created by First-Roman

References

https://spring.io/security/cve-2024-38828

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Apr 15, 2025
👾
Exploit known to exist
Apr 15, 2025
Vulnerability published
Nov 18, 2024
Vulnerability Reserved
Jun 19, 2024