Cyber Resilience

CVE-2024-22259

High

Published: 16 March 2024

Published
16 March 2024
Modified
10 June 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.5639 98.2th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22259 is a high-severity Open Redirect (CWE-601) vulnerability in Vmware Spring Framework. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-22259 affects the UriComponentsBuilder component in Spring Framework. Applications that accept an externally supplied URL, such as via a query parameter, parse it with UriComponentsBuilder, and then perform host-based validation checks on the result can be tricked into treating a malicious URL as valid. The issue is functionally equivalent to CVE-2024-22243 but is triggered by different input patterns, and carries a CVSS 3.1 score of 8.1.

An unauthenticated remote attacker can supply a crafted URL that bypasses the host validation logic. Successful exploitation may result in an open redirect that sends users to an attacker-controlled site or, when the parsed URL is subsequently used for outbound requests, a server-side request forgery that reaches internal resources.

Spring has published mitigation guidance at https://spring.io/security/cve-2024-22259, and NetApp has issued a corresponding advisory at https://security.netapp.com/advisory/ntap-20240524-0002/. The associated EPSS score has remained near 0.56 with only minimal movement between its recorded peak and current values.

EU & UK References

Vulnerability details

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to…

more

a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
spring framework
≤ 5.3.33 · 6.0.0 — 6.0.18 · 6.1.0 — 6.1.5
netapp
active iq unified manager
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References