Cyber Resilience

CVE-2024-38816

High

Published: 13 September 2024

Published
13 September 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9389 99.9th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38816 is a high-severity Path Traversal (CWE-22) vulnerability in Spring Security HTTP (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-38816 is a path traversal vulnerability affecting Spring applications that serve static resources through the functional web frameworks WebMvc.fn or WebFlux.fn. It is present when an application uses RouterFunctions to serve static resources and resource handling is explicitly configured with a FileSystemResource location, allowing crafted requests to access arbitrary files readable by the Spring process. The issue carries a CVSS 3.1 score of 7.5 and is classified under CWE-22.

An unauthenticated remote attacker can exploit the flaw by sending malicious HTTP requests to read sensitive files from the underlying filesystem. Exploitation succeeds only in the specific RouterFunctions plus FileSystemResource configuration; requests are blocked when the Spring Security HTTP Firewall is enabled or when the application runs on Tomcat or Jetty.

The official Spring advisory at spring.io/security/cve-2024-38816 and the NetApp advisory NTAP-20241227-0001 both highlight these environmental mitigations and recommend reviewing static-resource configurations or enabling the firewall. The associated EPSS score remains near 0.94 with no material change between current and peak values.

EU & UK References

Vulnerability details

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process…

more

in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use * the application runs on Tomcat or Jetty

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Spring
Security HTTP
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References