Cyber Resilience

CVE-2024-22243

High

Published: 23 February 2024

Published
23 February 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.6012 98.3th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22243 is a high-severity Open Redirect (CWE-601) vulnerability in Spring (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Applications using Spring Framework's UriComponentsBuilder to parse externally supplied URLs, such as those received through query parameters, are vulnerable when they also perform host-based validation on the parsed result. The flaw, tracked as CVE-2024-22243, can allow the validation checks to be bypassed, exposing the application to open redirect or server-side request forgery outcomes if the resulting URL is subsequently used.

An unauthenticated remote attacker can supply a crafted URL that passes the intended host validation yet resolves to an attacker-controlled destination. Successful exploitation enables redirection of users to malicious sites or the use of the application server to issue requests against internal or external resources, corresponding to the observed CVSS 8.1 rating.

Spring has published guidance and patches addressing the issue at the referenced security advisory; organizations are advised to apply the updates or implement the recommended input-handling changes. The associated EPSS score has reached a peak of 0.6174 with a current value of 0.6012.

EU & UK References

Vulnerability details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack…

more

if the URL is used after passing validation checks.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Spring
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References