Skip to content

[Aikido] Fix 15 security issues in spring-core, spring-webmvc, spring-web and 6 more#314

Open
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/AIK-16465-AIK-16479-update-packages-59578943-72sm
Open

[Aikido] Fix 15 security issues in spring-core, spring-webmvc, spring-web and 6 more#314
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/AIK-16465-AIK-16479-update-packages-59578943-72sm

Conversation

@aikido-autofix

@aikido-autofix aikido-autofix Bot commented Jul 2, 2026

Copy link
Copy Markdown

Upgrade Spring and Jetty dependencies to fix open redirect/SSRF vulnerabilities in URL parsing, HTTP request smuggling, and XSS in JavaScript escaping.

⚠️ Incomplete breaking changes analysis (8/10 analyzed)

⚠️ Breaking changes analysis not available for: org.eclipse.jetty:jetty-server, org.eclipse.jetty:jetty-http

✅ After thoroughly searching the codebase for all breaking changes mentioned in the Spring Core 5.3.20 => 5.3.49 and Kotlin stdlib 1.9.25 => 2.4.20 upgrades, no breaking changes were found that affect this codebase.

Spring Core Analysis:

  • No usage of SimpleEvaluationContext found

  • No SpEL (Spring Expression Language) expressions found

  • No @Value annotations with SpEL expressions found

Kotlin stdlib Analysis:

  • No open properties with backing fields requiring deferred initialization in init blocks

  • No expected/actual declarations (no Kotlin Multiplatform code)

  • No typealiases with upper bound violations

  • No SAM constructors with OptIn requirements

  • No suspend-marked anonymous functions in statement positions

  • No overrides of Java methods with raw-typed parameters using generic typed parameters

  • All data classes use constructor initialization (no deferred initialization issues)

  • All property declarations are properly initialized

The Kotlin code in this codebase uses standard patterns that are fully compatible with Kotlin 2.4.20.

All breaking changes by upgrading org.springframework:spring-core from version 5.3.20 to 6.2.11 (CHANGELOG)

Version Description
5.3.38
SimpleEvaluationContext does not enforce read-only semantics (#33320) - This bug fix enforces read-only semantics that were previously not enforced, which may break code that was performing write operations.
5.3.27
Disable variable assignment in SimpleEvaluationContext (#30327) - This explicitly disables variable assignment functionality that was previously available.
5.3.27
Limit SpEL expression length (#30329) - This introduces a length limit on SpEL expressions that did not exist before, potentially breaking expressions that exceed the limit.
5.3.27
Limit string concatenation in SpEL expressions (#30331) - This introduces limits on string concatenation in SpEL that did not exist before.

All breaking changes by upgrading org.jetbrains.kotlin:kotlin-stdlib from version 1.9.25 to 2.4.20 (CHANGELOG)

Version Description
2.0.0
Open properties with backing fields must be immediately initialized; deferred initialization in init blocks is no longer allowed
2.0.0
Synthetic setters on projected receivers now trigger errors when assigning types that conflict with the class's projected type
2.0.0
Function literals (lambdas and anonymous functions) with inaccessible generic types now trigger compilation errors
2.0.0
Generic types with inaccessible generic type arguments now trigger compilation errors
2.0.0
Resolution order changed: Kotlin properties now consistently supersede Java fields with the same name, with subclass members taking precedence
2.0.0
Java primitive arrays with TYPE_USE nullability annotations now enforce null safety, triggering errors when values are not used according to annotations
2.0.0
Common code in Kotlin Multiplatform can no longer access platform-specific code due to strict separation of common and platform source sets during compilation
2.0.0
Expected classes without default constructors can no longer be instantiated in common code
2.0.0
Abstract members inherited in expected non-abstract classes must be explicitly overridden as non-abstract
2.0.0
Expected and actual declarations can have different visibility levels only if the actual declaration is more permissive than the expected declaration
2.0.0
Upper bound violations in typealias constructors are now deprecated
2.0.0
Overriding Java methods with raw-typed parameters using generic typed parameters is now forbidden
2.0.0
SAM constructor usages requiring OptIn without annotation are now deprecated
2.0.0
Constructor calls with default arguments under OptIn markers are now forbidden
2.0.0
Suspend-marked anonymous function declarations in statement positions are now prohibited
2.0.0
From Kotlin 2.4.0 onward, rolling back to the previous compiler is no longer possible
✅ 15 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2024-22262
HIGH
[spring-core] UriComponentsBuilder fails to properly parse externally provided URLs, allowing attackers to bypass host validation checks and perform open redirect or SSRF attacks.
CVE-2024-22243
HIGH
[spring-core] UriComponentsBuilder fails to properly validate URLs parsed from external input, allowing attackers to bypass host validation checks and potentially perform open redirect or SSRF attacks.
CVE-2024-22259
HIGH
[spring-core] UriComponentsBuilder fails to properly parse externally provided URLs, allowing attackers to bypass host validation checks and conduct open redirect or SSRF attacks.
CVE-2025-41249
MEDIUM
[spring-core] Spring Framework's annotation detection may fail to resolve security annotations on methods in generic superclasses, potentially bypassing authorization checks when using Spring Security's @EnableMethodSecurity feature.
CVE-2024-38820
MEDIUM
[spring-core] The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
AIKIDO-2024-10361
LOW
[spring-core] A locale-dependent case sensitivity flaw in string handling allows attackers to bypass security checks by exploiting inconsistent case conversion across different locales. This vulnerability can lead to improper field protection and unauthorized access to restricted functionality.
CVE-2024-38809
LOW
[spring-core] ETag parsing from "If-Match" or "If-None-Match" request headers is vulnerable to denial of service attacks through unbounded header processing.
CVE-2026-2332
HIGH
[jetty-server] The HTTP/1.1 parser incorrectly handles chunk extensions with unclosed quoted strings, terminating parsing at \r\n instead of treating it as an error, enabling HTTP request smuggling attacks. This allows attackers to inject malicious requests that bypass security controls.
CVE-2025-11143
MEDIUM
[jetty-server] URI parser interprets invalid or unusual URIs differently than other common parsers, potentially allowing security bypasses when multiple components parse URIs inconsistently or disclosing implementation details through differential parsing behavior.
CVE-2024-6763
MEDIUM
[jetty-server] Insufficient validation of URI authority segments in HttpURI can cause host extraction discrepancies between Jetty and browsers, enabling open redirect or SSRF attacks when combined with vulnerable browsers.
AIKIDO-2026-11158
HIGH
[spring-core] Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability.
AIKIDO-2026-10571
MEDIUM
[spring-core] Static resource handling on Windows is vulnerable to uncontrolled resource consumption when resolving crafted requests, allowing attackers to exhaust HTTP connections and cause denial of service.
AIKIDO-2024-10363
LOW
[spring-core] A locale-dependent case sensitivity flaw in string handling allows attackers to bypass security checks by exploiting inconsistent case conversion across different locales. This vulnerability can lead to improper field protection and unauthorized access to restricted functionality.
AIKIDO-2026-188556
MEDIUM
[kotlin-stdlib] In JetBrains Kotlin before 2.4.20 code execution is possible via unsafe deserialization in the build cache metadata.
AIKIDO-2026-550292
MEDIUM
[kotlin-stdlib] In JetBrains Kotlin, a vulnerable Java API is used for temporary file and folder creation. An attacker is able to read data from such files and list directories due to insecure permissions.
🔗 Related Tasks

Comment thread agent/build.gradle

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 Open source vulnerabilities detected - medium severity
Aikido detected 4 vulnerabilities across 1 package, it includes 2 medium and 2 low vulnerabilities.

Details

Remediation Aikido suggests bumping the vulnerable packages to a safe version.

Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants