CVE-2025-22233

Name of the Vulnerable Software and Affected Versions: Spring Framework versions 5.3.0 through 5.3.42 Spring Framework versions 6.0.0 through 6.0.27 Spring Framework versions 6.1.0 through 6.1.19 Spring Framework versions 6.2.0 through 6.2.6

Description: The issue concerns a bypass of disallowed fields checks in the Spring Framework. This allows for potential exploitation. The estimated number of affected devices is not provided. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include the possibility of bypassing the disallowedFields checks. To avoid confusion, no specific API endpoints or vulnerable parameters are mentioned in the provided descriptions.

Recommendations: For Spring Framework versions 5.3.0 through 5.3.42, upgrade to version 5.3.43. For Spring Framework versions 6.0.0 through 6.0.27, upgrade to version 6.0.28. For Spring Framework versions 6.1.0 through 6.1.19, upgrade to version 6.1.20. For Spring Framework versions 6.2.0 through 6.2.6, upgrade to version 6.2.7. As a general mitigation measure, consider using a dedicated model object with properties only for data binding or using constructor binding with the declarativeBinding flag turned off to minimize the risk of exploitation. Prefer the use of allowedFields over disallowedFields for setting binding.