Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-22243

CVE-2024-22243: UriComponentsBuilder SSRF Vulnerability

CVE-2024-22243 is an SSRF flaw in UriComponentsBuilder that allows attackers to bypass URL validation checks and perform server-side request forgery. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2024-22243 Overview

CVE-2024-22243 affects the Spring Framework UriComponentsBuilder class. Applications that parse externally provided URLs and rely on host validation checks can be bypassed. Attackers can craft URLs that pass validation but redirect to attacker-controlled destinations. This enables open redirect attacks [CWE-601] and server-side request forgery (SSRF) when the validated URL is later used for internal requests. The flaw impacts Spring Framework versions used in countless Java web applications. The Exploit Prediction Scoring System places this vulnerability in the 98th percentile, indicating high likelihood of exploitation activity.

Critical Impact

Attackers can bypass URL host validation to redirect users to malicious sites or pivot to internal services via SSRF, exposing internal infrastructure and user credentials.

Affected Products

  • Spring Framework (versions using vulnerable UriComponentsBuilder parsing logic)
  • NetApp products bundling affected Spring Framework versions
  • Java applications performing host-based URL validation via UriComponentsBuilder

Discovery Timeline

  • 2024-02-23 - CVE-2024-22243 published to the National Vulnerability Database
  • 2024-05-24 - NetApp publishes downstream security advisory
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-22243

Vulnerability Analysis

The vulnerability resides in how UriComponentsBuilder parses externally supplied URLs. When an application passes a user-controlled string to the builder and then inspects properties such as the host, the parser interprets the URL differently from downstream consumers. Validation logic may extract one host value, while subsequent HTTP clients or redirect handlers resolve a different host from the same string.

This parser differential allows attackers to construct URLs that appear to point to a trusted domain during validation. After passing validation, the URL is used for redirection or server-side fetching, where it resolves to an attacker-controlled destination. The result is open redirect when used in HTTP responses and SSRF when used to issue outbound requests.

Root Cause

The root cause is inconsistent URL parsing between UriComponentsBuilder and other URL consumers in the JVM ecosystem. The builder does not enforce strict authority component boundaries, allowing crafted inputs with embedded delimiters, encoded characters, or malformed userinfo segments to confuse host extraction. Validation code reads the parsed host field as safe, while downstream redirect or HTTP client logic reconstructs a different effective host.

Attack Vector

Exploitation requires network access and user interaction, typically through a crafted link delivered via phishing or a malicious page. The attacker supplies a URL through a query parameter, form field, or JSON body. The application validates the host against an allowlist, accepts the URL, and either returns it in a Location header or uses it for an internal HTTP request. Successful exploitation results in credential theft via redirect, internal service enumeration, or interaction with cloud metadata endpoints.

For detailed technical analysis, see the Spring Security advisory for CVE-2024-22243 and the NetApp Security Advisory.

Detection Methods for CVE-2024-22243

Indicators of Compromise

  • Outbound HTTP requests from application servers to unexpected external hosts or to internal IP ranges such as 169.254.169.254, 127.0.0.1, or RFC1918 addresses.
  • HTTP 302 redirects originating from application endpoints with Location headers pointing to untrusted domains.
  • Request logs containing URL parameters with unusual authority components, encoded @ characters, or backslash separators.

Detection Strategies

  • Inspect application access logs for query parameters carrying full URLs and correlate them with subsequent outbound network connections.
  • Deploy web application firewall rules that flag URLs containing mixed userinfo and host delimiters such as https://trusted.com@attacker.com.
  • Audit application source for direct use of UriComponentsBuilder.fromUriString() followed by host-based allowlist checks.

Monitoring Recommendations

  • Monitor egress traffic from Java application servers to cloud metadata services and unexpected external domains.
  • Alert on redirect responses where the Location host differs from the application's trusted domain set.
  • Track Spring Framework versions across deployed services and confirm all instances run a patched release.

How to Mitigate CVE-2024-22243

Immediate Actions Required

  • Upgrade Spring Framework to a fixed release as listed in the Spring Security advisory for CVE-2024-22243.
  • Audit all code paths that pass user-controlled strings to UriComponentsBuilder and apply post-parse validation against the reconstructed URL.
  • Apply downstream vendor patches, including those listed in the NetApp advisory, for products bundling Spring Framework.

Patch Information

Pivotal published fixed Spring Framework versions in the Spring Security advisory for CVE-2024-22243. Upgrade to the patched release matching your deployment branch. Verify transitive dependencies in build manifests such as pom.xml or build.gradle resolve to the fixed version.

Workarounds

  • Reject user-supplied URLs containing userinfo components, backslashes, or non-ASCII characters before parsing.
  • Validate the host of the URL after reconstruction with UriComponents.toUriString() rather than the initial parse result.
  • Use a strict allowlist of fully qualified URLs for redirect targets instead of host-only checks.
bash
# Example Maven dependency override to enforce patched version
mvn dependency:tree | grep spring-web
# Update pom.xml to pin spring-framework-bom to a fixed release
# <dependency>
#   <groupId>org.springframework</groupId>
#   <artifactId>spring-framework-bom</artifactId>
#   <version>PATCHED_VERSION</version>
#   <type>pom</type>
#   <scope>import</scope>
# </dependency>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne