About vulnerability

SVG ImageDescription

Spring Data REST’s JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer.

Affected applications are those whose domain model includes an embeddable object, collection, or map property whose container is marked read-only at the Jackson level while the inner element type carries no per-field restriction.

SVG ImageAffected Spring Products and Versions

Spring Data REST:

• 3.7.0 - 3.7.19
• 4.3.0 - 4.3.16
• 4.4.0 - 4.4.14
• 4.5.0 - 4.5.11
• 5.0.0 - 5.0.5

Versions that are no longer supported are also affected.

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

SVG ImageReferences

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1

SVG ImageHistory

• 2026-06-09: Initial vulnerability report published.

Affected product:

Spring

Affected packages:

Spring Boot @ 2.7.18 (+77 more)

SVG ImageDescription

Spring Data REST’s JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer.

Affected applications are those whose domain model includes an embeddable object, collection, or map property whose container is marked read-only at the Jackson level while the inner element type carries no per-field restriction.

SVG ImageAffected Spring Products and Versions

Spring Data REST:

• 3.7.0 - 3.7.19
• 4.3.0 - 4.3.16
• 4.4.0 - 4.4.14
• 4.5.0 - 4.5.11
• 5.0.0 - 5.0.5

Versions that are no longer supported are also affected.

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

SVG ImageReferences

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1

SVG ImageHistory

• 2026-06-09: Initial vulnerability report published.