About vulnerability

SVG ImageDescription

When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed.

SVG ImageAffected Spring Products and Versions

Spring REST Docs:

• 4.0.0
• 3.0.0 - 3.0.5
• 2.0.0.RELEASE - 2.0.8.RELEASE

Versions that are no longer supported are also affected.

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

No further mitigation steps are necessary.

SVG ImageReferences

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L&version=3.1

SVG ImageHistory

• 2026-06-09: Initial vulnerability report published.

SVG ImageDescription

When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed.

SVG ImageAffected Spring Products and Versions

Spring REST Docs:

• 4.0.0
• 3.0.0 - 3.0.5
• 2.0.0.RELEASE - 2.0.8.RELEASE

Versions that are no longer supported are also affected.

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

No further mitigation steps are necessary.

SVG ImageReferences

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L&version=3.1

SVG ImageHistory

• 2026-06-09: Initial vulnerability report published.