CVE-2024-38821

CRITICAL

Spring WebFlux - Authorization Bypass via Static Resource Handling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-38821. PoCs published by mouadk, masa42.

AI-analyzed exploit summary The repository lacks functional exploit code and only contains a README with a link to an external analysis and minimal configuration files. No technical details or PoC code are provided.

Description

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support

Exploits (2)

nomisec SUSPICIOUS 3 stars
by mouadk · poc
https://github.com/mouadk/cve-2024-38821

The repository lacks functional exploit code and only contains a README with a link to an external analysis and minimal configuration files. No technical details or PoC code are provided.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Spring WebFlux
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by masa42 · poc
https://github.com/masa42/CVE-2024-38821-POC

This repository provides a functional proof-of-concept for CVE-2024-38821, demonstrating an authentication bypass in Spring Framework via path traversal. It includes vulnerable and patched Dockerized Spring Boot applications, along with clear instructions to reproduce the issue.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Spring Framework 6.1.13 (Spring Boot 3.3.4)
No auth needed
Prerequisites: Docker · curl
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.1
EPSS 0.1309
EPSS Percentile 94.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-770
Status published
Products (7)
org.springframework.security/spring-security-web 0 - 5.7.13Maven
Spring/Spring 5.7.x - 5.7.13
Spring/Spring 5.8.x - 5.8.15
Spring/Spring 6.0.x - 6.0.13
Spring/Spring 6.1.x - 6.1.11
Spring/Spring 6.2.x - 6.2.7
Spring/Spring 6.3.x - 6.3.4
Published Oct 28, 2024
Tracked Since Feb 18, 2026