Fix Critical Spring Framework CVE-2024-38808 & CVE-2024-38809

Spring Framework recently disclosed two serious security vulnerabilities, CVE-2024-38808 and CVE-2024-38809, both capable of causing denial‑of‑service (DoS) attacks. This article details their impact, affected versions, and remediation methods for Spring Boot 2.x projects.

1. CVE-2024-38808 Vulnerability Analysis

1.1 Description

In Spring Framework versions 5.3.0 to 5.3.38 (and earlier unsupported releases), evaluating user‑provided SpEL (Spring Expression Language) expressions can be exploited to trigger a DoS attack.

1.2 Affected Products and Versions

Spring Framework: 5.3.0 – 5.3.38 and earlier

Spring Boot: 2.7.x – 2.7.18 and earlier

1.3 Mitigation

Upgrade affected installations to the following fixed versions:

Spring Framework 5.3.x → 5.3.39 (or migrate to 6.0+)

If it is impossible to completely avoid user‑provided SpEL, use

SimpleEvaluationContext.forReadOnlyDataBinding

for read‑only expression evaluation.

2. CVE-2024-38809 Vulnerability Analysis

2.1 Description

Parsing the HTTP request headers "If‑Match" or "If‑None‑Match" ETag can be abused to cause a DoS attack.

2.2 Affected Products and Versions

Spring Framework: 6.1.0 – 6.1.11, 6.0.0 – 6.0.22, 5.3.0 – 5.3.37 and earlier

Spring Boot: 3.1.0 – 3.1.12, 3.0.0 – 3.0.13, 2.7.x – 2.7.18 and earlier

2.3 Mitigation

Upgrade to the following fixed versions:

6.1.x → 6.1.12

6.0.x → 6.0.23

5.3.x → 5.3.38

If an immediate upgrade is not feasible, configure

Filter

to limit the size of "If‑Match" and "If‑None‑Match" headers, reducing the attack surface.

3. How to Patch Vulnerabilities in Spring Boot 2.x Projects

3.1 Add spring-framework-bom Dependency

Insert the following dependency management into

pom.xml

:

<code>&lt;dependencyManagement&gt;
    &lt;dependencies&gt;
        &lt;dependency&gt;
            &lt;groupId&gt;org.springframework&lt;/groupId&gt;
            &lt;artifactId&gt;spring-framework-bom&lt;/artifactId&gt;
            &lt;version&gt;5.3.39&lt;/version&gt;
            &lt;type&gt;pom&lt;/type&gt;
            &lt;scope&gt;import&lt;/scope&gt;
        &lt;/dependency&gt;
        &lt;!-- other dependencies --&gt;
    &lt;/dependencies&gt;
&lt;/dependencyManagement&gt;</code>

Note: Place spring-framework-bom at the top of the dependency‑management section so Maven resolves it correctly.

3.2 Verify Dependency Versions

Refresh Maven dependencies to ensure the Spring Framework version is updated to 5.3.39 or later.

3.3 Check Spring EL Usage

For features that evaluate SpEL expressions (custom rate‑limiting annotations, permission checks, caching, etc.), ensure they do not process user‑provided input, or employ

SimpleEvaluationContext.forReadOnlyDataBinding

to create a read‑only context.

Conclusion

Given the widespread use of Spring Framework, timely updates and patches are crucial for system security. This guide equips developers with the steps needed to mitigate the risks of CVE‑2024‑38808 and CVE‑2024‑38809, ensuring safer Spring Boot applications.