CVE-2024-22262
Open Redirect vulnerability in spring-web (Maven)

Open Redirect Proof of concept Fixable By Resolved Security

What is CVE-2024-22262 About?

This vulnerability affects applications using `UriComponentsBuilder` that parse externally provided URLs and validate their host. It can lead to open redirect or SSRF attacks by allowing an attacker to bypass host validation. Exploitation typically involves crafting a malicious URL that misleads the parsing and validation logic.

Affected Software

  • org.springframework:spring-web
    • >6.0.0, <6.0.19
    • >6.1.0, <6.1.6
    • <5.3.34

Technical Details

The vulnerability arises when an application uses Spring's UriComponentsBuilder to parse a URL provided externally (e.g., via a query parameter) and subsequently performs host validation checks. The UriComponentsBuilder may fail to correctly determine the effective host from a maliciously crafted URL, especially when certain characters or schemes are used. An attacker can construct a URL that appears legitimate during the validation phase but, when later used (e.g., for redirection or an internal request), directs to an unintended external host (open redirect) or an internal resource (SSRF), effectively bypassing the host validation designed to prevent such malicious actions. This behavior is similar to previously identified issues in Spring's URI parsing.

What is the Impact of CVE-2024-22262?

Successful exploitation may allow attackers to redirect users to arbitrary malicious websites (open redirect) or force the server to make requests to internal or external systems (SSRF), potentially leading to data leakage, unauthorized access, or internal network reconnaissance.

What is the Exploitability of CVE-2024-22262?

Exploitation is of moderate complexity. An attacker needs to craft a specific URL that exploits the parsing inconsistencies of UriComponentsBuilder to bypass host validation. Authentication and privilege requirements depend on where the vulnerable URL parsing occurs; if it's in a publicly accessible endpoint, no authentication might be needed, making it a remote unauthenticated attack. If it's in an authenticated feature, user authentication is a prerequisite. This is fundamentally a remote attack vector. The vulnerability relies on the application both parsing external URLs with UriComponentsBuilder and performing host validation, which is then bypassed. The existence of proofs of concept suggests that the techniques are known and demonstrable, increasing the potential for real-world exploitation.

What are the Known Public Exploits?

PoC Author Link Commentary
Performant-Labs Link PoC for CVE-2024-22262

What are the Available Fixes for CVE-2024-22262?

A Fix by Resolved Security Exists!
Fix open-source vulnerabilities without upgrading your dependencies.

About the Fix from Resolved Security

This patch tightens regular expressions used to parse URI components by disallowing backslashes ("\") in the scheme, userinfo, host, and port portions, which previously permitted ambiguous or incorrect parsing. It fixes CVE-2024-22262 by preventing attacker-controlled backslashes from being interpreted as valid URI delimiters, mitigating potential request smuggling and header injection vulnerabilities.

Available Upgrade Options

  • org.springframework:spring-web
    • <5.3.34 → Upgrade to 5.3.34
  • org.springframework:spring-web
    • >6.0.0, <6.0.19 → Upgrade to 6.0.19
  • org.springframework:spring-web
    • >6.1.0, <6.1.6 → Upgrade to 6.1.6

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-22262?

Similar Vulnerabilities: CVE-2024-22259 , CVE-2024-22243 , CVE-2022-22971 , CVE-2023-20863 , CVE-2020-5407

All Rights reserved 2025
Privacy Policy