spring-boot-starter-3.4.1.jar: 7 vulnerabilities (highest severity is: 7.5) #19
Description
Vulnerable Library - spring-boot-starter-3.4.1.jar
Path to dependency file: /firebase/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/3.4.1/5fb9890a5eb7c4e86c8f5c0f6960b79240daf3d5/spring-boot-3.4.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/3.4.1/5fb9890a5eb7c4e86c8f5c0f6960b79240daf3d5/spring-boot-3.4.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/3.4.1/5fb9890a5eb7c4e86c8f5c0f6960b79240daf3d5/spring-boot-3.4.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/3.4.1/5fb9890a5eb7c4e86c8f5c0f6960b79240daf3d5/spring-boot-3.4.1.jar
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (spring-boot-starter version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-41249 |  High |
7.5 | spring-core-6.2.1.jar | Transitive | 3.4.10 | ❌ |
| CVE-2025-22235 | High |
7.3 | spring-boot-3.4.1.jar | Transitive | N/A* | ❌ |
| CVE-2024-12798 | High |
7.3 | detected in multiple dependencies | Transitive | 3.4.2 | ❌ |
| CVE-2025-11226 |  Medium |
6.9 | logback-core-1.5.12.jar | Transitive | 3.4.11 | ❌ |
| CVE-2026-1225 | Medium |
5.0 | logback-core-1.5.12.jar | Transitive | N/A* | ❌ |
| CVE-2024-12801 | Medium |
4.6 | logback-core-1.5.12.jar | Transitive | 3.4.2 | ❌ |
| CVE-2025-22233 |  Low |
3.1 | spring-context-6.2.1.jar | Transitive | 3.4.6 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-41249
Vulnerable Library - spring-core-6.2.1.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /apns/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/6.2.1/f42e6b51d9c0c2fcf95df9e5848470d173adc9af/spring-core-6.2.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/6.2.1/f42e6b51d9c0c2fcf95df9e5848470d173adc9af/spring-core-6.2.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/6.2.1/f42e6b51d9c0c2fcf95df9e5848470d173adc9af/spring-core-6.2.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/6.2.1/f42e6b51d9c0c2fcf95df9e5848470d173adc9af/spring-core-6.2.1.jar
Dependency Hierarchy:
- spring-boot-starter-3.4.1.jar (Root Library)
- ❌ spring-core-6.2.1.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-16
URL: CVE-2025-41249
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41249
Release Date: 2025-09-14
Fix Resolution (org.springframework:spring-core): 6.2.11
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 3.4.10
Step up your Open Source Security Game with Mend here
CVE-2025-22235
Vulnerable Library - spring-boot-3.4.1.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /apns/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/3.4.1/5fb9890a5eb7c4e86c8f5c0f6960b79240daf3d5/spring-boot-3.4.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/3.4.1/5fb9890a5eb7c4e86c8f5c0f6960b79240daf3d5/spring-boot-3.4.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/3.4.1/5fb9890a5eb7c4e86c8f5c0f6960b79240daf3d5/spring-boot-3.4.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/3.4.1/5fb9890a5eb7c4e86c8f5c0f6960b79240daf3d5/spring-boot-3.4.1.jar
Dependency Hierarchy:
- spring-boot-starter-3.4.1.jar (Root Library)
- ❌ spring-boot-3.4.1.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
- You use Spring Security
- EndpointRequest.to() has been used in a Spring Security chain configuration
- The endpoint which EndpointRequest references is disabled or not exposed via web
- Your application handles requests to /null and this path needs protection
You are not affected if any of the following is true: - You don't use Spring Security
- You don't use EndpointRequest.to()
- The endpoint which EndpointRequest.to() refers to is enabled and is exposed
- Your application does not handle requests to /null or this path does not need protection
Publish Date: 2025-04-28
URL: CVE-2025-22235
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2025-04-24
Fix Resolution: https://github.com/spring-projects/spring-boot.git - v3.4.5,https://github.com/spring-projects/spring-boot.git - v3.3.11,org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.5,org.springframework.boot:spring-boot-actuator-autoconfigure:3.3.11
Step up your Open Source Security Game with Mend here
CVE-2024-12798
Vulnerable Libraries - logback-core-1.5.12.jar, logback-classic-1.5.12.jar
logback-core-1.5.12.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /firebase/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar
Dependency Hierarchy:
- spring-boot-starter-3.4.1.jar (Root Library)
- spring-boot-starter-logging-3.4.1.jar
- logback-classic-1.5.12.jar
- ❌ logback-core-1.5.12.jar (Vulnerable Library)
- logback-classic-1.5.12.jar
- spring-boot-starter-logging-3.4.1.jar
logback-classic-1.5.12.jar
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /apns/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.5.12/3790d1a62e868f7915776dfb392bd9a29ce8d954/logback-classic-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.5.12/3790d1a62e868f7915776dfb392bd9a29ce8d954/logback-classic-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.5.12/3790d1a62e868f7915776dfb392bd9a29ce8d954/logback-classic-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.5.12/3790d1a62e868f7915776dfb392bd9a29ce8d954/logback-classic-1.5.12.jar
Dependency Hierarchy:
- spring-boot-starter-3.4.1.jar (Root Library)
- spring-boot-starter-logging-3.4.1.jar
- ❌ logback-classic-1.5.12.jar (Vulnerable Library)
- spring-boot-starter-logging-3.4.1.jar
Found in base branch: main
Vulnerability Details
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-12-19
URL: CVE-2024-12798
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-pr98-23f8-jwxv
Release Date: 2024-12-19
Fix Resolution (ch.qos.logback:logback-core): 1.5.13
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 3.4.2
Fix Resolution (ch.qos.logback:logback-classic): 1.5.13
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 3.4.2
Step up your Open Source Security Game with Mend here
CVE-2025-11226
Vulnerable Library - logback-core-1.5.12.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /firebase/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar
Dependency Hierarchy:
- spring-boot-starter-3.4.1.jar (Root Library)
- spring-boot-starter-logging-3.4.1.jar
- logback-classic-1.5.12.jar
- ❌ logback-core-1.5.12.jar (Vulnerable Library)
- logback-classic-1.5.12.jar
- spring-boot-starter-logging-3.4.1.jar
Found in base branch: main
Vulnerability Details
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
A successful attack requires the presence of Janino library and Spring Framework to be present on the user's class path. In addition, the attacker must have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Publish Date: 2025-10-01
URL: CVE-2025-11226
CVSS 3 Score Details (6.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-25qh-j22f-pwp8
Release Date: 2025-10-01
Fix Resolution (ch.qos.logback:logback-core): 1.5.19
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 3.4.11
Step up your Open Source Security Game with Mend here
CVE-2026-1225
Vulnerable Library - logback-core-1.5.12.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /firebase/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar
Dependency Hierarchy:
- spring-boot-starter-3.4.1.jar (Root Library)
- spring-boot-starter-logging-3.4.1.jar
- logback-classic-1.5.12.jar
- ❌ logback-core-1.5.12.jar (Vulnerable Library)
- logback-classic-1.5.12.jar
- spring-boot-starter-logging-3.4.1.jar
Found in base branch: main
Vulnerability Details
ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.
The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must have write access to a
configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.
Publish Date: 2026-01-22
URL: CVE-2026-1225
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-22
Fix Resolution: https://github.com/qos-ch/logback.git - v_1.5.25
Step up your Open Source Security Game with Mend here
CVE-2024-12801
Vulnerable Library - logback-core-1.5.12.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /firebase/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.5.12/65b1fa25fe8d8e4bdc140e79eb67ac6741f775e2/logback-core-1.5.12.jar
Dependency Hierarchy:
- spring-boot-starter-3.4.1.jar (Root Library)
- spring-boot-starter-logging-3.4.1.jar
- logback-classic-1.5.12.jar
- ❌ logback-core-1.5.12.jar (Vulnerable Library)
- logback-classic-1.5.12.jar
- spring-boot-starter-logging-3.4.1.jar
Found in base branch: main
Vulnerability Details
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to
forge requests by compromising logback configuration files in XML.
The attacks involves the modification of DOCTYPE declaration in XML configuration files.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-12-19
URL: CVE-2024-12801
CVSS 3 Score Details (4.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-6v67-2wr5-gvf4
Release Date: 2024-12-19
Fix Resolution (ch.qos.logback:logback-core): 1.5.13
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 3.4.2
Step up your Open Source Security Game with Mend here
CVE-2025-22233
Vulnerable Library - spring-context-6.2.1.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /hermes/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/6.2.1/f56c7431b03860bfdb016e68f484c5c35531ef2e/spring-context-6.2.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/6.2.1/f56c7431b03860bfdb016e68f484c5c35531ef2e/spring-context-6.2.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/6.2.1/f56c7431b03860bfdb016e68f484c5c35531ef2e/spring-context-6.2.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/6.2.1/f56c7431b03860bfdb016e68f484c5c35531ef2e/spring-context-6.2.1.jar
Dependency Hierarchy:
- spring-boot-starter-3.4.1.jar (Root Library)
- spring-boot-3.4.1.jar
- ❌ spring-context-6.2.1.jar (Vulnerable Library)
- spring-boot-3.4.1.jar
Found in base branch: main
Vulnerability Details
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:
- 6.2.0 - 6.2.6
- 6.1.0 - 6.1.19
- 6.0.0 - 6.0.27
- 5.3.0 - 5.3.42
- Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix Version Availability 6.2.x
6.2.7
OSS6.1.x
6.1.20
OSS6.0.x
6.0.28
Commercial https://enterprise.spring.io/ 5.3.x
5.3.43
Commercial https://enterprise.spring.io/
No further mitigation steps are necessary.
Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
Credit
This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.
Publish Date: 2025-05-16
URL: CVE-2025-22233
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2025-22233
Release Date: 2025-05-16
Fix Resolution (org.springframework:spring-context): 6.2.7
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 3.4.6
Step up your Open Source Security Game with Mend here