CVE-2023-34036
Malicious Forwarded Headers vulnerability in spring-hateoas (Maven)

Malicious Forwarded Headers No known exploit

What is CVE-2023-34036 About?

This vulnerability involves reactive web applications using Spring HATEOAS that are exposed to malicious forwarded headers. If not properly protected by a trusted proxy, applications might process untrusted `X-Forwarded` headers, leading to potential security bypasses or misbehavior. Exploitation requires specific architectural conditions but can be relatively straightforward if these conditions are met.

Affected Software

  • org.springframework.hateoas:spring-hateoas
    • >2.1.0, <2.1.1
    • >2.0.0, <2.0.5
    • <1.5.5

Technical Details

Reactive web applications built with Spring WebFlux and Spring HATEOAS that generate hypermedia-based responses are susceptible to this vulnerability. The issue arises when X-Forwarded headers, such as X-Forwarded-Host or X-Forwarded-Proto, are processed without proper validation or filtering. If the application is not behind a trusted proxy that ensures the correctness of these headers, or if the application itself doesn't explicitly handle and potentially discard untrusted forwarded headers, a malicious actor can supply arbitrary values in these headers. This can lead to the application generating incorrect URLs in its hypermedia links, potentially facilitating phishing, cache poisoning, or bypassing security controls that rely on correct host or scheme identification.

What is the Impact of CVE-2023-34036?

Successful exploitation may allow attackers to manipulate generated links in hypermedia responses, leading to phishing attacks, cache poisoning, or bypassing security controls that rely on proper URL construction.

What is the Exploitability of CVE-2023-34036?

Exploitation of this vulnerability requires specific environmental conditions. It is of moderate complexity, primarily dependent on the application's infrastructure setup. The attacking party needs remote access to the application. There are no explicit authentication or privilege requirements to send crafted X-Forwarded headers. The main prerequisite is that the application uses the reactive web stack (Spring WebFlux) with Spring HATEOAS and is not protected by an intermediary trusted proxy, nor does it have internal mechanisms to handle untrusted forwarded headers. The risk of exploitation increases significantly in deployments where applications are directly exposed to the internet or are fronted by misconfigured proxies that allow arbitrary X-Forwarded header injection.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2023-34036?

Available Upgrade Options

  • org.springframework.hateoas:spring-hateoas
    • <1.5.5 → Upgrade to 1.5.5
  • org.springframework.hateoas:spring-hateoas
    • >2.0.0, <2.0.5 → Upgrade to 2.0.5
  • org.springframework.hateoas:spring-hateoas
    • >2.1.0, <2.1.1 → Upgrade to 2.1.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-34036?

Similar Vulnerabilities: CVE-2018-1258 , CVE-2020-5407 , CVE-2021-22002 , CVE-2017-8046 , CVE-2022-31792

All Rights reserved 2025
Privacy Policy