CVE-2018-1257

Name of the Vulnerable Software and Affected Versions Spring Framework versions 5.0.x prior to 5.0.6 Spring Framework versions 4.3.x prior to 4.3.17 Spring Framework older unsupported versions

Description The issue exists due to insufficient input validation in the Spring Framework. This can be exploited by a remote attacker to cause a denial of service. A malicious user can craft a message to the in-memory STOMP broker through the spring-messaging module, potentially leading to a regular expression denial of service attack.

Recommendations For Spring Framework versions 5.0.x prior to 5.0.6, update to version 5.0.6 or later to resolve the issue. For Spring Framework versions 4.3.x prior to 4.3.17, update to version 4.3.17 or later to resolve the issue. For Spring Framework older unsupported versions, consider upgrading to a supported version to mitigate the risk. As a temporary workaround, consider restricting access to the STOMP over WebSocket endpoints to minimize the risk of exploitation.