CVE-2024-38828

MEDIUM

Spring WebMVC 5.3.0-5.3.41 - Denial of Service via @RequestBody byte[] Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2024-38828. PoCs published by funcid, topilov, First-Roman.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2024-38828, a DoS vulnerability in Spring Framework's ByteArrayHttpMessageConverter. It includes a custom converter to mitigate the issue and a load test script to demonstrate the vulnerability.

Description

Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.

Exploits (4)

nomisec WORKING POC
by funcid · poc
https://github.com/funcid/CVE-2024-38828

This repository contains a functional proof-of-concept for CVE-2024-38828, a DoS vulnerability in Spring Framework's ByteArrayHttpMessageConverter. It includes a custom converter to mitigate the issue and a load test script to demonstrate the vulnerability.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Spring Framework 5.3.x
No auth needed
Prerequisites: Spring Framework 5.3.x application with a byte[] endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by topilov · poc
https://github.com/topilov/axiom-jdk-test-task

This repository contains a functional proof-of-concept for CVE-2024-38828, demonstrating a denial-of-service (DoS) vulnerability in Spring applications by exploiting improper handling of large byte array inputs. The test case simulates an attack by sending a request with a Content-Length header set to Integer.MAX_VALUE, which triggers an exception.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Spring Framework (specific version not specified)
No auth needed
Prerequisites: Spring application with vulnerable byte array handling
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by topilov · poc
https://github.com/topilov/axiom-jdk

This repository contains a functional PoC for CVE-2024-38828, demonstrating a DoS vulnerability in Spring Framework's ByteArrayHttpMessageConverter. The exploit leverages a crafted Content-Length header to trigger an exception, causing resource exhaustion.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Spring Framework (versions affected by CVE-2024-38828)
No auth needed
Prerequisites: Network access to the target application · Ability to send HTTP requests with crafted headers
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by First-Roman · poc
https://github.com/First-Roman/sprig-mvc-demo-patch

This repository demonstrates a partial fix for CVE-2024-38828, a DoS vulnerability in Spring Framework where large or malformed byte[] requests can exhaust memory. It includes a custom ByteArrayConverter to enforce size limits and prevent resource exhaustion.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Spring Framework (versions below 5.3.33)
No auth needed
Prerequisites: A Spring MVC application with a controller accepting byte[] requests
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 5.3
EPSS 0.0008
EPSS Percentile 23.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-400
Status published
Products (2)
org.springframework/spring-webmvc 5.3.0 - 5.3.42Maven
Spring/Spring 5.3.x - 5.3.42
Published Nov 18, 2024
Tracked Since Feb 18, 2026