About vulnerability

SVG ImageDescription

Spring Data REST’s Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl.

SVG ImageAffected Spring Products and Versions

Spring Data REST:

• 3.7.0 - 3.7.19
• 4.3.0 - 4.3.16
• 4.4.0 - 4.4.14
• 4.5.0 - 4.5.11
• 5.0.0 - 5.0.5

Versions that are no longer supported are also affected.

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Until upgrading, applications can mitigate the issue by implementing QuerydslBinderCustomizer on each affected repository and calling bindings.excludeUnlistedProperties(true) together with an explicit allow-list of filterable property paths.

SVG ImageReferences

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N&version=3.1

SVG ImageHistory

• 2026-06-09: Initial vulnerability report published.

Affected product:

Spring

Affected packages:

Spring Boot @ 2.7.18 (+77 more)

SVG ImageDescription

Spring Data REST’s Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl.

SVG ImageAffected Spring Products and Versions

Spring Data REST:

• 3.7.0 - 3.7.19
• 4.3.0 - 4.3.16
• 4.4.0 - 4.4.14
• 4.5.0 - 4.5.11
• 5.0.0 - 5.0.5

Versions that are no longer supported are also affected.

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Until upgrading, applications can mitigate the issue by implementing QuerydslBinderCustomizer on each affected repository and calling bindings.excludeUnlistedProperties(true) together with an explicit allow-list of filterable property paths.

SVG ImageReferences

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N&version=3.1

SVG ImageHistory

• 2026-06-09: Initial vulnerability report published.