CVE-2024-38821

CRITICAL

Org.springframework.security Spring-s... - Resource Allocation Without Limits

Title source: rule

Description

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support

Exploits (2)

nomisec SUSPICIOUS 3 stars

by mouadk · poc

https://github.com/mouadk/cve-2024-38821

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by masa42 · poc

https://github.com/masa42/CVE-2024-38821-POC

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://spring.io/security/cve-2024-38821

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20250124-0006/

Scores

CVSS v3 9.1

EPSS 0.1309

EPSS Percentile 94.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-770

Status published

Products (7)

org.springframework.security/spring-security-web 0 - 5.7.13Maven

Spring/Spring 5.7.x - 5.7.13

Spring/Spring 5.8.x - 5.8.15

Spring/Spring 6.0.x - 6.0.13

Spring/Spring 6.1.x - 6.1.11

Spring/Spring 6.2.x - 6.2.7

Spring/Spring 6.3.x - 6.3.4

Published Oct 28, 2024

Tracked Since Feb 18, 2026