CVE-2025-22233
Description
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.6 * 6.1.0 - 6.1.19 * 6.0.0 - 6.0.27 * 5.3.0 - 5.3.42 * Older, unsupported versions are also affectedMitigationUsers of affected versions should upgrade to the corresponding fixed version.Affected version(s)Fix VersionAvailability6.2.x 6.2.7OSS6.1.x 6.1.20OSS6.0.x 6.0.28 Commercial https://enterprise.spring.io/ 5.3.x 5.3.43 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.CreditThis issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.
Risk Information
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2024-45613,CVE-2025-22233,CVE-2025-48795,CVE-2025-48976 are affected in Oracle Commerce Platform 11.4.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.12.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.1.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 24.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 9.0.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 9.5.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0.106 | Windows |
| Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.1.13 | Windows |
| Multiple vulnerabilities are affected in Oracle Commerce Platform 11.4.0 | Windows |
| Vulnerabilities CVE-2025-22233 are fixed in spring-context 6.2.7 | Windows |
| Vulnerabilities CVE-2025-22233 are fixed in spring-context 6.1.20 | Windows |
| Vulnerabilities CVE-2025-22233 are affected in spring-context 6.0.23 | Windows |
| Vulnerabilities CVE-2025-22233 are fixed in spring-context for Linux 6.2.7 | Linux |
| Vulnerabilities CVE-2025-22233 are fixed in spring-context for Linux 6.1.20 | Linux |
| Vulnerabilities CVE-2025-22233 are affected in spring-context for Linux 6.0.23 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234