CVE-2024-22259: Open Redirect vulnerability in spring-web (Maven)

What is CVE-2024-22259 About?

This vulnerability affects applications using `UriComponentsBuilder` in Spring Framework to process external URLs, allowing open redirection or Server-Side Request Forgery (SSRF) if host validation is bypassed. It is fundamentally the same issue as CVE-2024-22243 but with a different input vector. Exploitation is possible when host validation is improperly handled in the presence of specific input forms.

Affected Software

org.springframework:spring-web
- >6.1.0, <6.1.5
- >6.0.0, <6.0.18
- <5.3.33

Technical Details

Similar to CVE-2024-22243, this vulnerability impacts applications that parse external URLs using Spring Framework's UriComponentsBuilder and subsequently validate the host component. The distinction lies in the specific form of the malicious input that can bypass these validation checks. An attacker crafts a URL that, due to unspecified 'different input' processing, appears valid during the application's host validation step. However, when this URL is later used by the application (e.g., for redirecting a user or making an internal request), its true, malicious nature is revealed. This allows for an Open Redirect, steering users to attacker-controlled sites, or SSRF, enabling the server to access internal network resources or arbitrary external services at the attacker's behest.

What is the Impact of CVE-2024-22259?

Successful exploitation may allow attackers to redirect users to arbitrary malicious websites for phishing or to induce the server to make unauthorized requests to internal resources or external services, leading to information disclosure or further compromise.

What is the Exploitability of CVE-2024-22259?

Exploitation complexity is medium, similar to CVE-2024-22243, but requires familiarity with the specific alternative input format that triggers this variant. The attacker must understand how UriComponentsBuilder and the application's host validation interact with this particular input. No specific authentication or privileges are generally required beyond the ability to provide URL-based input to the application. This is a remote vulnerability, achieved by sending a crafted request containing the malicious URL. The key special condition is the application's use of UriComponentsBuilder for parsing and validating externally provided URLs, especially for redirection or server-side requests. Risk factors include widespread use of UriComponentsBuilder to handle untrusted URL input for validation and subsequent use, particularly in URL-redirection features or proxy-like functionalities.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2024-22259?

A Fix by Resolved Security Exists!

See how easy it is to remediate vulnerabilities in your open-source packages.

About the Fix from Resolved Security

The patch enhances URI validation by introducing stricter checks that ensure the host portion of an HTTP(S) URL is present and that IPv6 hosts are correctly enclosed in brackets. This fix addresses CVE-2024-22259 by preventing malformed or malicious URIs with invalid or unclosed IPv6 addresses from being accepted, which could otherwise lead to security bypasses or parsing errors.

Available Upgrade Options

org.springframework:spring-web
- <5.3.33 → Upgrade to 5.3.33
org.springframework:spring-web
- >6.0.0, <6.0.18 → Upgrade to 6.0.18
org.springframework:spring-web
- >6.1.0, <6.1.5 → Upgrade to 6.1.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-22259?

Similar Vulnerabilities: CVE-2024-22243 , CVE-2023-34035 , CVE-2022-22965 , CVE-2021-22097 , CVE-2020-5421

CVE-2024-22259 Open Redirect vulnerability in spring-web (Maven)