{"package":"org.springframework:spring-core","ecosystem":"maven","latest_version":"7.0.0-M6","description":"Spring Core","license":"Apache-2.0","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://github.com/spring-projects/spring-framework","repository":"https://github.com/spring-projects/spring-framework","downloads_weekly":null,"health":{"score":25,"risk":"critical","breakdown":{"maintenance":10,"popularity":0,"security":0,"maturity":15,"community":0},"deprecated":false,"max_score":100},"vulnerabilities":{"count":18,"critical":0,"high":8,"medium":10,"low":0,"details":[{"vuln_id":"CVE-2018-1272","severity":"high","summary":"Possible privilege escalation in org.springframework:spring-core","affected_versions":"<4.3.15|>=5.0.0,<5.0.5|=1.0|=1.0-rc1|=1.0.1|=1.1|=1.1-rc1|=1.1-rc2|=1.1.1|=1.1.2|=1.1.3|=1.1.4|=1.1.5|=1.2|=1.2-rc1|=1.2-rc2|=1.2.1|=1.2.2|=1.2.3|=1.2.4|=1.2.5|=1.2.6|=1.2.7|=1.2.8|=1.2.9|=2.0|=2.0-m1|=2.0-m2|=2.0-m3|=2.0-m4|=2.0-m5|=2.0-rc1|=2.0-rc2|=2.0.1|=2.0.2|=2.0.3|=2.0.4|=2.0.5|=2.0.6|=2.0.7|=2.0.8|=2.5|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.5|=2.5.6|=2.5.6.SEC01|=2.5.6.SEC02|=2.5.6.SEC03|=3.0.0.RELEASE|=3.0.1.RELEASE|=3.0.2.RELEASE|=3.0.3.RELEASE|=3.0.4.RELEASE|=3.0.5.RELEASE|=3.0.6.RELEASE|=3.0.7.RELEASE|=3.1.0.RELEASE|=3.1.1.RELEASE|=3.1.2.RELEASE|=3.1.3.RELEASE|=3.1.4.RELEASE|=3.2.0.RELEASE|=3.2.1.RELEASE|=3.2.10.RELEASE|=3.2.11.RELEASE|=3.2.12.RELEASE|=3.2.13.RELEASE|=3.2.14.RELEASE|=3.2.15.RELEASE|=3.2.16.RELEASE|=3.2.17.RELEASE|=3.2.18.RELEASE|=3.2.2.RELEASE|=3.2.3.RELEASE|=3.2.4.RELEASE|=3.2.5.RELEASE|=3.2.6.RELEASE|=3.2.7.RELEASE|=3.2.8.RELEASE|=3.2.9.RELEASE|=4.0.0.RELEASE|=4.0.1.RELEASE|=4.0.2.RELEASE|=4.0.3.RELEASE|=4.0.4.RELEASE|=4.0.5.RELEASE|=4.0.6.RELEASE|=4.0.7.RELEASE|=4.0.8.RELEASE|=4.0.9.RELEASE|=4.1.0.RELEASE|=4.1.1.RELEASE|=4.1.2.RELEASE|=4.1.3.RELEASE|=4.1.4.RELEASE|=4.1.5.RELEASE|=4.1.6.RELEASE|=4.1.7.RELEASE|=4.1.8.RELEASE|=4.1.9.RELEASE|=4.2.0.RELEASE|=4.2.1.RELEASE|=4.2.2.RELEASE|=4.2.3.RELEASE|=4.2.4.RELEASE|=4.2.5.RELEASE|=4.2.6.RELEASE|=4.2.7.RELEASE|=4.2.8.RELEASE|=4.2.9.RELEASE|=4.3.0.RELEASE|=4.3.1.RELEASE|=4.3.10.RELEASE|=4.3.11.RELEASE|=4.3.12.RELEASE|=4.3.13.RELEASE|=4.3.14.RELEASE|=4.3.2.RELEASE|=4.3.3.RELEASE|=4.3.4.RELEASE|=4.3.5.RELEASE|=4.3.6.RELEASE|=4.3.7.RELEASE|=4.3.8.RELEASE|=4.3.9.RELEASE|=5.0.0.RELEASE|=5.0.1.RELEASE|=5.0.2.RELEASE|=5.0.3.RELEASE|=5.0.4.RELEASE","fixed_version":"5.0.5","source":"osv","published_at":"2018-10-17T20:27:47Z","in_kev":false,"epss_prob":0.02166,"epss_percentile":0.84367,"threat_tier":"theoretical"},{"vuln_id":"CVE-2015-0201","severity":"medium","summary":"Moderate severity vulnerability that affects org.springframework:spring-core","affected_versions":">=4.1.0,<4.1.5|=4.1.0.RELEASE|=4.1.1.RELEASE|=4.1.2.RELEASE|=4.1.3.RELEASE|=4.1.4.RELEASE","fixed_version":"4.1.5","source":"osv","published_at":"2018-10-17T20:28:20Z","in_kev":false,"epss_prob":0.00182,"epss_percentile":0.3954,"threat_tier":"theoretical"},{"vuln_id":"CVE-2021-22060","severity":"medium","summary":"Log entry injection in Spring Framework","affected_versions":">=5.3.0,<5.3.14|>=5.2.0,<5.2.19|=5.3.0|=5.3.1|=5.3.10|=5.3.11|=5.3.12|=5.3.13|=5.3.2|=5.3.3|=5.3.4|=5.3.5|=5.3.6|=5.3.7|=5.3.8|=5.3.9|=5.2.0.RELEASE|=5.2.1.RELEASE|=5.2.10.RELEASE|=5.2.11.RELEASE|=5.2.12.RELEASE|=5.2.13.RELEASE|=5.2.14.RELEASE|=5.2.15.RELEASE|=5.2.16.RELEASE|=5.2.17.RELEASE|=5.2.18.RELEASE|=5.2.2.RELEASE|=5.2.3.RELEASE|=5.2.4.RELEASE|=5.2.5.RELEASE|=5.2.6.RELEASE|=5.2.7.RELEASE|=5.2.8.RELEASE|=5.2.9.RELEASE","fixed_version":"5.2.19","source":"osv","published_at":"2022-01-12T23:04:06Z","in_kev":false,"epss_prob":0.00168,"epss_percentile":0.37632,"threat_tier":"theoretical"},{"vuln_id":"CVE-2016-5007","severity":"high","summary":"Spring Security and Spring Framework may not recognize certain paths that should be protected","affected_versions":"<4.3.1|<4.1.1|=1.0|=1.0-rc1|=1.0.1|=1.1|=1.1-rc1|=1.1-rc2|=1.1.1|=1.1.2|=1.1.3|=1.1.4|=1.1.5|=1.2|=1.2-rc1|=1.2-rc2|=1.2.1|=1.2.2|=1.2.3|=1.2.4|=1.2.5|=1.2.6|=1.2.7|=1.2.8|=1.2.9|=2.0|=2.0-m1|=2.0-m2|=2.0-m3|=2.0-m4|=2.0-m5|=2.0-rc1|=2.0-rc2|=2.0.1|=2.0.2|=2.0.3|=2.0.4|=2.0.5|=2.0.6|=2.0.7|=2.0.8|=2.5|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.5|=2.5.6|=2.5.6.SEC01|=2.5.6.SEC02|=2.5.6.SEC03|=3.0.0.RELEASE|=3.0.1.RELEASE|=3.0.2.RELEASE|=3.0.3.RELEASE|=3.0.4.RELEASE|=3.0.5.RELEASE|=3.0.6.RELEASE|=3.0.7.RELEASE|=3.1.0.RELEASE|=3.1.1.RELEASE|=3.1.2.RELEASE|=3.1.3.RELEASE|=3.1.4.RELEASE|=3.2.0.RELEASE|=3.2.1.RELEASE|=3.2.10.RELEASE|=3.2.11.RELEASE|=3.2.12.RELEASE|=3.2.13.RELEASE|=3.2.14.RELEASE|=3.2.15.RELEASE|=3.2.16.RELEASE|=3.2.17.RELEASE|=3.2.18.RELEASE|=3.2.2.RELEASE|=3.2.3.RELEASE|=3.2.4.RELEASE|=3.2.5.RELEASE|=3.2.6.RELEASE|=3.2.7.RELEASE|=3.2.8.RELEASE|=3.2.9.RELEASE|=4.0.0.RELEASE|=4.0.1.RELEASE|=4.0.2.RELEASE|=4.0.3.RELEASE|=4.0.4.RELEASE|=4.0.5.RELEASE|=4.0.6.RELEASE|=4.0.7.RELEASE|=4.0.8.RELEASE|=4.0.9.RELEASE|=4.1.0.RELEASE|=4.1.1.RELEASE|=4.1.2.RELEASE|=4.1.3.RELEASE|=4.1.4.RELEASE|=4.1.5.RELEASE|=4.1.6.RELEASE|=4.1.7.RELEASE|=4.1.8.RELEASE|=4.1.9.RELEASE|=4.2.0.RELEASE|=4.2.1.RELEASE|=4.2.2.RELEASE|=4.2.3.RELEASE|=4.2.4.RELEASE|=4.2.5.RELEASE|=4.2.6.RELEASE|=4.2.7.RELEASE|=4.2.8.RELEASE|=4.2.9.RELEASE|=4.3.0.RELEASE|=2.0.0|=2.0.1|=2.0.2|=2.0.3|=2.0.4|=2.0.5.RELEASE|=2.0.6.RELEASE|=2.0.7.RELEASE|=2.0.8.RELEASE|=3.0.0.RELEASE|=3.0.1.RELEASE|=3.0.2.RELEASE|=3.0.3.RELEASE|=3.0.4.RELEASE|=3.0.5.RELEASE|=3.0.6.RELEASE|=3.0.7.RELEASE|=3.0.8.RELEASE|=3.1.0.RELEASE|=3.1.1.RELEASE|=3.1.2.RELEASE|=3.1.3.RELEASE|=3.1.4.RELEASE|=3.1.5.RELEASE|=3.1.6.RELEASE|=3.1.7.RELEASE|=3.2.0.RELEASE|=3.2.1.RELEASE|=3.2.10.RELEASE|=3.2.2.RELEASE|=3.2.3.RELEASE|=3.2.4.RELEASE|=3.2.5.RELEASE|=3.2.6.RELEASE|=3.2.7.RELEASE|=3.2.8.RELEASE|=3.2.9.RELEASE|=4.0.0.RELEASE|=4.0.1.RELEASE|=4.0.2.RELEASE|=4.0.3.RELEASE|=4.0.4.RELEASE|=4.1.0.RELEASE","fixed_version":"4.1.1","source":"osv","published_at":"2018-10-17T20:30:12Z","in_kev":false,"epss_prob":0.00155,"epss_percentile":0.35839,"threat_tier":"theoretical"},{"vuln_id":"CVE-2018-1258","severity":"high","summary":"Spring Framework when used in combination with any versions of Spring Security contains an authorization bypass","affected_versions":">=5.0.5.RELEASE,<5.0.6.RELEASE|=5.0.5.RELEASE","fixed_version":"5.0.6.RELEASE","source":"osv","published_at":"2018-10-17T20:05:49Z","in_kev":false,"epss_prob":0.00292,"epss_percentile":0.52504,"threat_tier":"theoretical"},{"vuln_id":"CVE-2018-11040","severity":"medium","summary":"Moderate severity vulnerability that affects org.springframework:spring-core","affected_versions":">=5.0.0.RELEASE,<5.0.7.RELEASE|>=4.3.0.RELEASE,<4.3.18.RELEASE|=5.0.0.RELEASE|=5.0.1.RELEASE|=5.0.2.RELEASE|=5.0.3.RELEASE|=5.0.4.RELEASE|=5.0.5.RELEASE|=5.0.6.RELEASE|=4.3.0.RELEASE|=4.3.1.RELEASE|=4.3.10.RELEASE|=4.3.11.RELEASE|=4.3.12.RELEASE|=4.3.13.RELEASE|=4.3.14.RELEASE|=4.3.15.RELEASE|=4.3.16.RELEASE|=4.3.17.RELEASE|=4.3.2.RELEASE|=4.3.3.RELEASE|=4.3.4.RELEASE|=4.3.5.RELEASE|=4.3.6.RELEASE|=4.3.7.RELEASE|=4.3.8.RELEASE|=4.3.9.RELEASE","fixed_version":"4.3.18.RELEASE","source":"osv","published_at":"2018-10-16T17:43:45Z","in_kev":false,"epss_prob":0.07316,"epss_percentile":0.91701,"threat_tier":"theoretical"},{"vuln_id":"CVE-2011-2894","severity":"medium","summary":"Spring Framework and Spring Security vulnerable to Deserialization of Untrusted Data","affected_versions":">=3.0.0,<3.0.6|>=3.0.0,<3.0.6|>=2.0.0,<2.0.7|=3.0.0.RELEASE|=3.0.1.RELEASE|=3.0.2.RELEASE|=3.0.3.RELEASE|=3.0.4.RELEASE|=3.0.5.RELEASE|=3.0.0.RELEASE|=3.0.1.RELEASE|=3.0.2.RELEASE|=3.0.3.RELEASE|=3.0.4.RELEASE|=3.0.5.RELEASE|=2.0.0|=2.0.1|=2.0.2|=2.0.3|=2.0.4|=2.0.5.RELEASE|=2.0.6.RELEASE","fixed_version":"2.0.7","source":"osv","published_at":"2022-05-14T02:54:56Z","in_kev":false,"epss_prob":0.01998,"epss_percentile":0.83714,"threat_tier":"theoretical"},{"vuln_id":"CVE-2018-15756","severity":"high","summary":"Denial of Service in Spring Framework","affected_versions":">=5.1.0.RELEASE,<5.1.1.RELEASE|>=5.0.0.RELEASE,<5.0.10.RELEASE|>=4.2.0.RELEASE,<4.3.20.RELEASE|=5.1.0.RELEASE|=5.0.0.RELEASE|=5.0.1.RELEASE|=5.0.2.RELEASE|=5.0.3.RELEASE|=5.0.4.RELEASE|=5.0.5.RELEASE|=5.0.6.RELEASE|=5.0.7.RELEASE|=5.0.8.RELEASE|=5.0.9.RELEASE|=4.2.0.RELEASE|=4.2.1.RELEASE|=4.2.2.RELEASE|=4.2.3.RELEASE|=4.2.4.RELEASE|=4.2.5.RELEASE|=4.2.6.RELEASE|=4.2.7.RELEASE|=4.2.8.RELEASE|=4.2.9.RELEASE|=4.3.0.RELEASE|=4.3.1.RELEASE|=4.3.10.RELEASE|=4.3.11.RELEASE|=4.3.12.RELEASE|=4.3.13.RELEASE|=4.3.14.RELEASE|=4.3.15.RELEASE|=4.3.16.RELEASE|=4.3.17.RELEASE|=4.3.18.RELEASE|=4.3.19.RELEASE|=4.3.2.RELEASE|=4.3.3.RELEASE|=4.3.4.RELEASE|=4.3.5.RELEASE|=4.3.6.RELEASE|=4.3.7.RELEASE|=4.3.8.RELEASE|=4.3.9.RELEASE","fixed_version":"4.3.20.RELEASE","source":"osv","published_at":"2020-06-15T19:34:50Z","in_kev":false,"epss_prob":0.20127,"epss_percentile":0.95509,"threat_tier":"theoretical"},{"vuln_id":"CVE-2018-1271","severity":"medium","summary":"Path Traversal in org.springframework:spring-core","affected_versions":">=5.0.0,<5.0.5|<4.3.15|=5.0.0.RELEASE|=5.0.1.RELEASE|=5.0.2.RELEASE|=5.0.3.RELEASE|=5.0.4.RELEASE|=1.0|=1.0-rc1|=1.0.1|=1.1|=1.1-rc1|=1.1-rc2|=1.1.1|=1.1.2|=1.1.3|=1.1.4|=1.1.5|=1.2|=1.2-rc1|=1.2-rc2|=1.2.1|=1.2.2|=1.2.3|=1.2.4|=1.2.5|=1.2.6|=1.2.7|=1.2.8|=1.2.9|=2.0|=2.0-m1|=2.0-m2|=2.0-m3|=2.0-m4|=2.0-m5|=2.0-rc1|=2.0-rc2|=2.0.1|=2.0.2|=2.0.3|=2.0.4|=2.0.5|=2.0.6|=2.0.7|=2.0.8|=2.5|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.5|=2.5.6|=2.5.6.SEC01|=2.5.6.SEC02|=2.5.6.SEC03|=3.0.0.RELEASE|=3.0.1.RELEASE|=3.0.2.RELEASE|=3.0.3.RELEASE|=3.0.4.RELEASE|=3.0.5.RELEASE|=3.0.6.RELEASE|=3.0.7.RELEASE|=3.1.0.RELEASE|=3.1.1.RELEASE|=3.1.2.RELEASE|=3.1.3.RELEASE|=3.1.4.RELEASE|=3.2.0.RELEASE|=3.2.1.RELEASE|=3.2.10.RELEASE|=3.2.11.RELEASE|=3.2.12.RELEASE|=3.2.13.RELEASE|=3.2.14.RELEASE|=3.2.15.RELEASE|=3.2.16.RELEASE|=3.2.17.RELEASE|=3.2.18.RELEASE|=3.2.2.RELEASE|=3.2.3.RELEASE|=3.2.4.RELEASE|=3.2.5.RELEASE|=3.2.6.RELEASE|=3.2.7.RELEASE|=3.2.8.RELEASE|=3.2.9.RELEASE|=4.0.0.RELEASE|=4.0.1.RELEASE|=4.0.2.RELEASE|=4.0.3.RELEASE|=4.0.4.RELEASE|=4.0.5.RELEASE|=4.0.6.RELEASE|=4.0.7.RELEASE|=4.0.8.RELEASE|=4.0.9.RELEASE|=4.1.0.RELEASE|=4.1.1.RELEASE|=4.1.2.RELEASE|=4.1.3.RELEASE|=4.1.4.RELEASE|=4.1.5.RELEASE|=4.1.6.RELEASE|=4.1.7.RELEASE|=4.1.8.RELEASE|=4.1.9.RELEASE|=4.2.0.RELEASE|=4.2.1.RELEASE|=4.2.2.RELEASE|=4.2.3.RELEASE|=4.2.4.RELEASE|=4.2.5.RELEASE|=4.2.6.RELEASE|=4.2.7.RELEASE|=4.2.8.RELEASE|=4.2.9.RELEASE|=4.3.0.RELEASE|=4.3.1.RELEASE|=4.3.10.RELEASE|=4.3.11.RELEASE|=4.3.12.RELEASE|=4.3.13.RELEASE|=4.3.14.RELEASE|=4.3.2.RELEASE|=4.3.3.RELEASE|=4.3.4.RELEASE|=4.3.5.RELEASE|=4.3.6.RELEASE|=4.3.7.RELEASE|=4.3.8.RELEASE|=4.3.9.RELEASE","fixed_version":"4.3.15","source":"osv","published_at":"2018-10-17T20:07:03Z","in_kev":false,"epss_prob":0.90599,"epss_percentile":0.99621,"threat_tier":"likely_exploited"},{"vuln_id":"CVE-2025-41249","severity":"high","summary":"Spring Framework annotation detection mechanism may result in improper authorization","affected_versions":">=5.3.0,<=5.3.44|>=6.0.0,<=6.1.22|>=6.2.0,<6.2.11|=5.3.0|=5.3.1|=5.3.10|=5.3.11|=5.3.12|=5.3.13|=5.3.14|=5.3.15|=5.3.16|=5.3.17|=5.3.18|=5.3.19|=5.3.2|=5.3.20|=5.3.21|=5.3.22|=5.3.23|=5.3.24|=5.3.25|=5.3.26|=5.3.27|=5.3.28|=5.3.29|=5.3.3|=5.3.30|=5.3.31|=5.3.32|=5.3.33|=5.3.34|=5.3.35|=5.3.36|=5.3.37|=5.3.38|=5.3.39|=5.3.4|=5.3.5|=5.3.6|=5.3.7|=5.3.8|=5.3.9|=6.0.0|=6.0.1|=6.0.10|=6.0.11|=6.0.12|=6.0.13|=6.0.14|=6.0.15|=6.0.16|=6.0.17|=6.0.18|=6.0.19|=6.0.2|=6.0.20|=6.0.21|=6.0.22|=6.0.23|=6.0.3|=6.0.4|=6.0.5|=6.0.6|=6.0.7|=6.0.8|=6.0.9|=6.1.0|=6.1.1|=6.1.10|=6.1.11|=6.1.12|=6.1.13|=6.1.14|=6.1.15|=6.1.16|=6.1.17|=6.1.18|=6.1.19|=6.1.2|=6.1.20|=6.1.21|=6.1.3|=6.1.4|=6.1.5|=6.1.6|=6.1.7|=6.1.8|=6.1.9|=6.2.0|=6.2.1|=6.2.10|=6.2.2|=6.2.3|=6.2.4|=6.2.5|=6.2.6|=6.2.7|=6.2.8|=6.2.9","fixed_version":"6.2.11","source":"osv","published_at":"2025-09-16T15:32:34Z","in_kev":false,"epss_prob":0.00069,"epss_percentile":0.21081,"threat_tier":"theoretical"},{"vuln_id":"CVE-2015-5211","severity":"high","summary":"Files or Directories Accessible to External Parties in org.springframework:spring-core","affected_versions":">=4.2.0,<4.2.2|>=4.0.0,<4.1.8|<3.2.15|=4.2.0.RELEASE|=4.2.1.RELEASE|=4.0.0.RELEASE|=4.0.1.RELEASE|=4.0.2.RELEASE|=4.0.3.RELEASE|=4.0.4.RELEASE|=4.0.5.RELEASE|=4.0.6.RELEASE|=4.0.7.RELEASE|=4.0.8.RELEASE|=4.0.9.RELEASE|=4.1.0.RELEASE|=4.1.1.RELEASE|=4.1.2.RELEASE|=4.1.3.RELEASE|=4.1.4.RELEASE|=4.1.5.RELEASE|=4.1.6.RELEASE|=4.1.7.RELEASE|=1.0|=1.0-rc1|=1.0.1|=1.1|=1.1-rc1|=1.1-rc2|=1.1.1|=1.1.2|=1.1.3|=1.1.4|=1.1.5|=1.2|=1.2-rc1|=1.2-rc2|=1.2.1|=1.2.2|=1.2.3|=1.2.4|=1.2.5|=1.2.6|=1.2.7|=1.2.8|=1.2.9|=2.0|=2.0-m1|=2.0-m2|=2.0-m3|=2.0-m4|=2.0-m5|=2.0-rc1|=2.0-rc2|=2.0.1|=2.0.2|=2.0.3|=2.0.4|=2.0.5|=2.0.6|=2.0.7|=2.0.8|=2.5|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.5|=2.5.6|=2.5.6.SEC01|=2.5.6.SEC02|=2.5.6.SEC03|=3.0.0.RELEASE|=3.0.1.RELEASE|=3.0.2.RELEASE|=3.0.3.RELEASE|=3.0.4.RELEASE|=3.0.5.RELEASE|=3.0.6.RELEASE|=3.0.7.RELEASE|=3.1.0.RELEASE|=3.1.1.RELEASE|=3.1.2.RELEASE|=3.1.3.RELEASE|=3.1.4.RELEASE|=3.2.0.RELEASE|=3.2.1.RELEASE|=3.2.10.RELEASE|=3.2.11.RELEASE|=3.2.12.RELEASE|=3.2.13.RELEASE|=3.2.14.RELEASE|=3.2.2.RELEASE|=3.2.3.RELEASE|=3.2.4.RELEASE|=3.2.5.RELEASE|=3.2.6.RELEASE|=3.2.7.RELEASE|=3.2.8.RELEASE|=3.2.9.RELEASE","fixed_version":"3.2.15","source":"osv","published_at":"2018-10-17T20:29:33Z","in_kev":false,"epss_prob":0.01918,"epss_percentile":0.83399,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-22233","severity":"high","summary":"Spring Framework server Web DoS Vulnerability","affected_versions":">=6.1.2,<6.1.3|>=6.0.15,<6.0.16|=6.1.2|=6.0.15","fixed_version":"6.0.16","source":"osv","published_at":"2024-01-22T15:30:23Z","in_kev":false,"epss_prob":0.01539,"epss_percentile":0.81428,"threat_tier":"theoretical"},{"vuln_id":"CVE-2018-1257","severity":"medium","summary":"Denial of Service in org.springframework:spring-core","affected_versions":">=5.0.0,<5.0.6|<4.3.17|=5.0.0.RELEASE|=5.0.1.RELEASE|=5.0.2.RELEASE|=5.0.3.RELEASE|=5.0.4.RELEASE|=5.0.5.RELEASE|=1.0|=1.0-rc1|=1.0.1|=1.1|=1.1-rc1|=1.1-rc2|=1.1.1|=1.1.2|=1.1.3|=1.1.4|=1.1.5|=1.2|=1.2-rc1|=1.2-rc2|=1.2.1|=1.2.2|=1.2.3|=1.2.4|=1.2.5|=1.2.6|=1.2.7|=1.2.8|=1.2.9|=2.0|=2.0-m1|=2.0-m2|=2.0-m3|=2.0-m4|=2.0-m5|=2.0-rc1|=2.0-rc2|=2.0.1|=2.0.2|=2.0.3|=2.0.4|=2.0.5|=2.0.6|=2.0.7|=2.0.8|=2.5|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.5|=2.5.6|=2.5.6.SEC01|=2.5.6.SEC02|=2.5.6.SEC03|=3.0.0.RELEASE|=3.0.1.RELEASE|=3.0.2.RELEASE|=3.0.3.RELEASE|=3.0.4.RELEASE|=3.0.5.RELEASE|=3.0.6.RELEASE|=3.0.7.RELEASE|=3.1.0.RELEASE|=3.1.1.RELEASE|=3.1.2.RELEASE|=3.1.3.RELEASE|=3.1.4.RELEASE|=3.2.0.RELEASE|=3.2.1.RELEASE|=3.2.10.RELEASE|=3.2.11.RELEASE|=3.2.12.RELEASE|=3.2.13.RELEASE|=3.2.14.RELEASE|=3.2.15.RELEASE|=3.2.16.RELEASE|=3.2.17.RELEASE|=3.2.18.RELEASE|=3.2.2.RELEASE|=3.2.3.RELEASE|=3.2.4.RELEASE|=3.2.5.RELEASE|=3.2.6.RELEASE|=3.2.7.RELEASE|=3.2.8.RELEASE|=3.2.9.RELEASE|=4.0.0.RELEASE|=4.0.1.RELEASE|=4.0.2.RELEASE|=4.0.3.RELEASE|=4.0.4.RELEASE|=4.0.5.RELEASE|=4.0.6.RELEASE|=4.0.7.RELEASE|=4.0.8.RELEASE|=4.0.9.RELEASE|=4.1.0.RELEASE|=4.1.1.RELEASE|=4.1.2.RELEASE|=4.1.3.RELEASE|=4.1.4.RELEASE|=4.1.5.RELEASE|=4.1.6.RELEASE|=4.1.7.RELEASE|=4.1.8.RELEASE|=4.1.9.RELEASE|=4.2.0.RELEASE|=4.2.1.RELEASE|=4.2.2.RELEASE|=4.2.3.RELEASE|=4.2.4.RELEASE|=4.2.5.RELEASE|=4.2.6.RELEASE|=4.2.7.RELEASE|=4.2.8.RELEASE|=4.2.9.RELEASE|=4.3.0.RELEASE|=4.3.1.RELEASE|=4.3.10.RELEASE|=4.3.11.RELEASE|=4.3.12.RELEASE|=4.3.13.RELEASE|=4.3.14.RELEASE|=4.3.15.RELEASE|=4.3.16.RELEASE|=4.3.2.RELEASE|=4.3.3.RELEASE|=4.3.4.RELEASE|=4.3.5.RELEASE|=4.3.6.RELEASE|=4.3.7.RELEASE|=4.3.8.RELEASE|=4.3.9.RELEASE","fixed_version":"4.3.17","source":"osv","published_at":"2018-10-17T20:02:20Z","in_kev":false,"epss_prob":0.01176,"epss_percentile":0.78787,"threat_tier":"theoretical"},{"vuln_id":"CVE-2021-22096","severity":"medium","summary":"Improper Output Neutralization for Logs in Spring Framework","affected_versions":">=5.3.0,<5.3.11|>=5.2.0,<5.2.18|>=5.2.0,<5.2.18|>=5.3.0,<5.3.11|=5.3.0|=5.3.1|=5.3.10|=5.3.2|=5.3.3|=5.3.4|=5.3.5|=5.3.6|=5.3.7|=5.3.8|=5.3.9|=5.2.0.RELEASE|=5.2.1.RELEASE|=5.2.10.RELEASE|=5.2.11.RELEASE|=5.2.12.RELEASE|=5.2.13.RELEASE|=5.2.14.RELEASE|=5.2.15.RELEASE|=5.2.16.RELEASE|=5.2.17.RELEASE|=5.2.2.RELEASE|=5.2.3.RELEASE|=5.2.4.RELEASE|=5.2.5.RELEASE|=5.2.6.RELEASE|=5.2.7.RELEASE|=5.2.8.RELEASE|=5.2.9.RELEASE|=5.2.0.RELEASE|=5.2.1.RELEASE|=5.2.10.RELEASE|=5.2.11.RELEASE|=5.2.12.RELEASE|=5.2.13.RELEASE|=5.2.14.RELEASE|=5.2.15.RELEASE|=5.2.16.RELEASE|=5.2.17.RELEASE|=5.2.2.RELEASE|=5.2.3.RELEASE|=5.2.5.RELEASE|=5.2.6.RELEASE|=5.2.7.RELEASE|=5.2.8.RELEASE|=5.2.9.RELEASE|=5.3.0|=5.3.1|=5.3.10|=5.3.2|=5.3.3|=5.3.4|=5.3.5|=5.3.6|=5.3.7|=5.3.8|=5.3.9","fixed_version":"5.3.11","source":"osv","published_at":"2022-05-24T19:19:04Z","in_kev":false,"epss_prob":0.00227,"epss_percentile":0.45329,"threat_tier":"theoretical"},{"vuln_id":"CVE-2014-3578","severity":"medium","summary":"Improper Limitation of a Pathname to a Restricted Directory in Spring Framework","affected_versions":">=3.0.0,<3.2.9|>=4.0.0,<4.0.5|=3.0.0.RELEASE|=3.0.1.RELEASE|=3.0.2.RELEASE|=3.0.3.RELEASE|=3.0.4.RELEASE|=3.0.5.RELEASE|=3.0.6.RELEASE|=3.0.7.RELEASE|=3.1.0.RELEASE|=3.1.1.RELEASE|=3.1.2.RELEASE|=3.1.3.RELEASE|=3.1.4.RELEASE|=3.2.0.RELEASE|=3.2.1.RELEASE|=3.2.2.RELEASE|=3.2.3.RELEASE|=3.2.4.RELEASE|=3.2.5.RELEASE|=3.2.6.RELEASE|=3.2.7.RELEASE|=3.2.8.RELEASE|=4.0.0.RELEASE|=4.0.1.RELEASE|=4.0.2.RELEASE|=4.0.3.RELEASE|=4.0.4.RELEASE","fixed_version":"4.0.5","source":"osv","published_at":"2022-05-14T00:56:29Z","in_kev":false,"epss_prob":0.04358,"epss_percentile":0.88985,"threat_tier":"theoretical"},{"vuln_id":"CVE-2018-1199","severity":"medium","summary":"Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core","affected_versions":">=4.2.0,<4.2.4|>=5.0.0,<5.0.1|>=4.3.0,<4.3.14|>=5.0.0,<5.0.3|>=4.1.0,<4.1.5|=4.2.0.RELEASE|=4.2.1.RELEASE|=4.2.2.RELEASE|=4.2.3.RELEASE|=5.0.0.RELEASE|=4.3.0.RELEASE|=4.3.1.RELEASE|=4.3.10.RELEASE|=4.3.11.RELEASE|=4.3.12.RELEASE|=4.3.13.RELEASE|=4.3.2.RELEASE|=4.3.3.RELEASE|=4.3.4.RELEASE|=4.3.5.RELEASE|=4.3.6.RELEASE|=4.3.7.RELEASE|=4.3.8.RELEASE|=4.3.9.RELEASE|=5.0.0.RELEASE|=5.0.1.RELEASE|=5.0.2.RELEASE|=4.1.0.RELEASE|=4.1.1.RELEASE|=4.1.2.RELEASE|=4.1.3.RELEASE|=4.1.4.RELEASE","fixed_version":"4.1.5","source":"osv","published_at":"2018-10-17T20:01:54Z","in_kev":false,"epss_prob":0.00846,"epss_percentile":0.74888,"threat_tier":"theoretical"},{"vuln_id":"CVE-2009-1190","severity":"medium","summary":"Spring Framework Inefficient Regular Expression Complexity","affected_versions":">=1.1.0,<3.0.0.RELEASE|=1.1|=1.1.1|=1.1.2|=1.1.3|=1.1.4|=1.1.5|=1.2|=1.2-rc1|=1.2-rc2|=1.2.1|=1.2.2|=1.2.3|=1.2.4|=1.2.5|=1.2.6|=1.2.7|=1.2.8|=1.2.9|=2.0|=2.0-m1|=2.0-m2|=2.0-m3|=2.0-m4|=2.0-m5|=2.0-rc1|=2.0-rc2|=2.0.1|=2.0.2|=2.0.3|=2.0.4|=2.0.5|=2.0.6|=2.0.7|=2.0.8|=2.5|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.5|=2.5.6|=2.5.6.SEC01|=2.5.6.SEC02|=2.5.6.SEC03","fixed_version":"3.0.0.RELEASE","source":"osv","published_at":"2022-05-02T03:22:35Z","in_kev":false,"epss_prob":0.01381,"epss_percentile":0.80352,"threat_tier":"theoretical"},{"vuln_id":"CVE-2011-2730","severity":"high","summary":"Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework","affected_versions":">=3.0.0,<3.0.6|<2.5.6.SEC03|>=2.5.7.SR0,<2.5.7.SR023|=3.0.0.RELEASE|=3.0.1.RELEASE|=3.0.2.RELEASE|=3.0.3.RELEASE|=3.0.4.RELEASE|=3.0.5.RELEASE|=1.0|=1.0-rc1|=1.0.1|=1.1|=1.1-rc1|=1.1-rc2|=1.1.1|=1.1.2|=1.1.3|=1.1.4|=1.1.5|=1.2|=1.2-rc1|=1.2-rc2|=1.2.1|=1.2.2|=1.2.3|=1.2.4|=1.2.5|=1.2.6|=1.2.7|=1.2.8|=1.2.9|=2.0|=2.0-m1|=2.0-m2|=2.0-m3|=2.0-m4|=2.0-m5|=2.0-rc1|=2.0-rc2|=2.0.1|=2.0.2|=2.0.3|=2.0.4|=2.0.5|=2.0.6|=2.0.7|=2.0.8|=2.5|=2.5.1|=2.5.2|=2.5.3|=2.5.4|=2.5.5|=2.5.6|=2.5.6.SEC01|=2.5.6.SEC02","fixed_version":"2.5.7.SR023","source":"osv","published_at":"2022-05-17T02:16:01Z","in_kev":false,"epss_prob":0.46306,"epss_percentile":0.9766,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":1},"versions":{"latest":"7.0.0-M6","total_count":311,"recent":["7.0.0-M6","6.2.8","6.1.21","7.0.0-M5","6.2.7","6.1.20","7.0.0-M4","6.2.6","6.1.19","6.2.5","7.0.0-M3","6.2.4","6.1.18","7.0.0-M2","6.2.3","6.1.17","7.0.0-M1","6.2.2","6.2.1","6.1.16"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":0,"first_published":null,"last_published":"2025-06-12T10:14:17+00:00","dependencies_count":0,"dependencies":[]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"update_required","issues":["Low health score (25/100)","8 high severity vulnerabilities"],"use_version":"7.0.0-M6","version_hint":"Update to >= 2.5.7.SR023 to fix known vulnerabilities","summary":"org.springframework:spring-core@7.0.0-M6 has vulnerabilities — update to latest"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":true,"bus_factor_3m":16,"active_contributors_12m":16,"primary_author_ratio":0.6,"owner_account_age_days":5775,"is_archived":false,"stars":59858,"alerts":[]},"malicious":{"is_malicious":false},"scorecard":{"available":true,"score":5.7,"tier":"moderate"},"quality":{"available":false},"version_history_summary":{"total_versions":20,"first_release_age_days":3415,"last_release_days_ago":320,"avg_days_between_releases":180,"release_velocity":"moderate"}}