MEDIUMRemediated

CVE-2025-3302

Open redirect in Spring MVC RequestMappingHandlerMapping

Technology

Spring Framework

CVSS Score

6.1 / 10.0

Affected Versions

5.2.0 – 5.3.28

Patched In

OSSeva for Spring Framework 5.3.29-osseva-1

Published

May 28, 2025

Remediated

June 11, 2025 (10mo ago)

Description

Spring MVC's RequestMappingHandlerMapping does not validate redirect URLs in certain controller patterns, enabling open redirect attacks that can be used for phishing in applications that accept URL parameters.

Is your Spring Framework deployment affected?

If you're running 5.2.0 – 5.3.28, you need this patch. Book a discovery call to get covered.

Book a discovery call View Spring Framework coverage →