CVE-2024-38816

HIGH EXPLOITED NUCLEI

Spring WebMvc.fn and WebFlux.fn - Path Traversal via Static Resource Handling

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-38816 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 5 public exploits from researchers including WULINPIN, startsw1th, jaloon. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2024-38816, demonstrating a path traversal vulnerability in Spring Framework 6.0.3. The exploit leverages symbolic links and %-encoded characters to traverse directories and access sensitive files like /etc/passwd.

Description

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use * the application runs on Tomcat or Jetty

Exploits (5)

nomisec WORKING POC 10 stars
by WULINPIN · infoleak
https://github.com/WULINPIN/CVE-2024-38816-PoC

This repository contains a functional proof-of-concept for CVE-2024-38816, demonstrating a path traversal vulnerability in Spring Framework 6.0.3. The exploit leverages symbolic links and %-encoded characters to traverse directories and access sensitive files like /etc/passwd.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Spring Framework 6.0.3 (Spring Boot 3.0.13)
No auth needed
Prerequisites: RouterFunctions usage · FileSystemResource usage · Symbolic links present · %-encoded characters in attack path
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB 3 stars
by startsw1th · poc
https://github.com/startsw1th/cve-2024-38816-demo

The repository contains minimal Spring Boot configuration code but lacks any exploit logic or demonstration of CVE-2024-38816. It appears to be a placeholder or incomplete PoC.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Unknown (Spring Boot application)
No auth needed
Prerequisites: None identified
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by jaloon · poc
https://github.com/jaloon/spring-webmvc5

This repository is a fork of Spring Web MVC 5.3.39 with fixes for CVE-2024-38816 and CVE-2024-38819. It provides patched source code and a Maven dependency for mitigation, but does not include exploit code or detailed vulnerability analysis.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Spring Web MVC 5.3.39
No auth needed
Prerequisites: Vulnerable Spring Web MVC 5.3.39 installation
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by wdragondragon · poc
https://github.com/wdragondragon/spring-framework

The repository contains only GitHub workflow and action files, with no exploit code or technical details related to CVE-2024-38816. It appears to be a placeholder or incomplete repository.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Spring Framework
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Anthony1078 · poc
https://github.com/Anthony1078/App-vulnerable

This repository contains a vulnerable Spring Boot application demonstrating a directory traversal vulnerability (CVE-2024-38816) in the FileController. The application allows arbitrary file reads via a crafted filename parameter in the POST request, enabling path traversal attacks.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Custom Spring Boot application (version unspecified)
No auth needed
Prerequisites: Network access to the vulnerable endpoint · Knowledge of the base path structure
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

WebMvc.fn/WebFlux.fn - Path Traversal
HIGHby pussycat0x

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.9389
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2024-10-22
CWE
CWE-22
Status published
Products (5)
org.springframework/spring-webflux 6.1.0 - 6.1.13Maven
org.springframework/spring-webmvc 6.1.0 - 6.1.13Maven
Spring/Spring 5.3.x - 5.3.40
Spring/Spring 6.0.x - 6.0.24
Spring/Spring 6.1.x - 6.1.13
Published Sep 13, 2024
Tracked Since Feb 18, 2026