BestHub
Sign in
Backend Development 4 min read

Fixing Spring Boot Startup Errors After CVE‑2023‑34035 Upgrade

When upgrading Spring Boot to patch CVE‑2023‑34034 and CVE‑2023‑34035, applications using Spring Security may encounter a startup error indicating ambiguous pattern detection, which can be resolved by upgrading to patched versions and adjusting requestMatchers to use MvcRequestMatcher or AntPathRequestMatcher as appropriate.

Java Architecture Diary
Java Architecture Diary
Java Architecture Diary
Fixing Spring Boot Startup Errors After CVE‑2023‑34035 Upgrade

Problem description: After upgrading Spring Boot to address CVE‑2023‑34034 and CVE‑2023‑34035, the application fails to start with an error.

<code>This method cannot decide whether these patterns are Spring MVC patterns or not.
If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher);
otherwise, please use requestMatchers(AntPathRequestMatcher).</code>

Root Cause

Spring Security versions prior to 5.8.5, 6.0.5, and 6.1.2 are vulnerable when an application uses

requestMatchers(String)

together with multiple servlets, one of which is the Spring MVC

DispatcherServlet

. The vulnerability (CVE‑2023‑34035) allows misconfiguration of authorization rules.

The issue occurs when all of the following are true:

The classpath contains Spring MVC.

Spring Security protects multiple servlets, including the DispatcherServlet.

The application references non‑Spring MVC endpoints with

requestMatchers(String)

.

The application is not affected if any of these conditions are false:

Spring MVC is absent from the classpath.

Only servlets other than the DispatcherServlet are secured.

Only Spring MVC endpoints use

requestMatchers(String)

.

Affected Spring Security Versions

5.8.0 – 5.8.4

6.0.0 – 6.0.4

6.1.0 – 6.1.1

Mitigation

Users of the affected versions should upgrade:

5.8.x → 5.8.5 (Spring Boot 2.7.14)

6.0.x → 6.0.5 (Spring Boot 3.0.9)

6.1.x → 6.1.2 (Spring Boot 3.1.2)

If multiple servlets are used and one is the Spring MVC DispatcherServlet, the startup may show the following message:

<code>This method cannot decide whether these patterns are Spring MVC patterns or not.
If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher);
otherwise, please use requestMatchers(AntPathRequestMatcher).</code>

Follow the guidance in the error message. For example, replace

requestMatchers(String)

that points to a non‑Spring MVC endpoint with

requestMatchers(new AntPathRequestMatcher("/endpoint"))

.

References

https://spring.io/security/cve-2023-34035

JavaSpring BootCVEAuthorizationSpring Security
Java Architecture Diary
Written by

Java Architecture Diary

Committed to sharing original, high‑quality technical articles; no fluff or promotional content.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment