Cyber Resilience

CVE-2024-22262

High

Published: 16 April 2024

Published
16 April 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.1263 94.1th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22262 is a high-severity Open Redirect (CWE-601) vulnerability in Spring (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-22262 affects applications built with Spring Framework that use UriComponentsBuilder to parse externally supplied URLs, such as those received through query parameters, while also performing host-based validation checks on the resulting URI. The flaw stems from inconsistent parsing behavior that can allow specially crafted inputs to bypass those checks, exposing the application to open redirect or server-side request forgery outcomes when the validated URL is subsequently used. The issue is functionally equivalent to the earlier CVE-2024-22259 and CVE-2024-22243 disclosures but is triggered by different input patterns.

An unauthenticated remote attacker can supply a malicious URL via user-controlled input. If the application trusts the host validation performed on the parsed object, the attacker may cause an open redirect to an arbitrary destination or induce the server to issue requests to internal resources that would otherwise be blocked.

Spring has published an advisory at https://spring.io/security/cve-2024-22262 that details the affected versions and required updates; NetApp has issued a corresponding advisory (NTAP-20240524-0003) for its products that incorporate the vulnerable component.

The EPSS score reached a peak of 0.1520 after disclosure, indicating a measurable increase in observed exploitation interest relative to its initial low baseline.

EU & UK References

Vulnerability details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack…

more

if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Spring
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601 CWE-918

Validates redirect targets and URLs to ensure they conform to allowed destinations.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References