Org.springframework.security:spring-security-core

This hub aggregates every CVE we track for Org.springframework.security:spring-security-core, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Org.springframework.security:spring-security-core.

• CVE-2025-22234Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation5.3Jan 22, 2026
• CVE-2025-41248CVE-2025-41248: Spring Security authorization bypass for method security annotations on parameterized types7.5Sep 16, 2025
• CVE-2025-41232CVE-2025-41232: Spring Security authorization bypass for method security annotations on private methods9.1May 21, 2025
• CVE-2025-22223Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.  You are not affected if you are not ...5.3Mar 24, 2025
• CVE-2024-38827Spring Security Authorization Bypass for Case Sensitive Comparisons4.8Dec 2, 2024
• CVE-2024-38810Missing Authorization When Using @AuthorizeReturnObject6.5Aug 20, 2024
• CVE-2024-22257In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible ...8.2Mar 18, 2024
• CVE-2024-22234CVE-2024-22234: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated7.4Feb 20, 2024
• CVE-2023-20862In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using seriali...6.3Apr 19, 2023
• CVE-2022-31692Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulne...9.8Oct 31, 2022
• CVE-2022-22976Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work fa...5.3May 19, 2022
• CVE-2022-22978In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications...9.8May 19, 2022
• CVE-2021-22119Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Au...7.5Jun 29, 2021
• CVE-2020-5408Dictionary attack with Spring Security queryable text encryptor6.5May 14, 2020
• CVE-2020-5407Signature Wrapping Vulnerability with spring-security-saml2-service-provider8.8May 13, 2020