BestHub
Sign in
Backend Development 4 min read

Fixing Spring Boot Startup Errors After CVE‑2023‑34035 Upgrade

When upgrading Spring Boot to patch CVE‑2023‑34034 and CVE‑2023‑34035, applications using Spring Security may encounter a startup error indicating ambiguous pattern detection, which can be resolved by upgrading to patched versions and adjusting requestMatchers to use MvcRequestMatcher or AntPathRequestMatcher as appropriate.

Java Architecture Diary
Java Architecture Diary
Java Architecture Diary
Fixing Spring Boot Startup Errors After CVE‑2023‑34035 Upgrade

Problem description: After upgrading Spring Boot to address CVE‑2023‑34034 and CVE‑2023‑34035, the application fails to start with an error.

This method cannot decide whether these patterns are Spring MVC patterns or not.
If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher);
otherwise, please use requestMatchers(AntPathRequestMatcher).

Root Cause

Spring Security versions prior to 5.8.5, 6.0.5, and 6.1.2 are vulnerable when an application uses requestMatchers(String) together with multiple servlets, one of which is the Spring MVC DispatcherServlet. The vulnerability (CVE‑2023‑34035) allows misconfiguration of authorization rules.

The issue occurs when all of the following are true:

The classpath contains Spring MVC.

Spring Security protects multiple servlets, including the DispatcherServlet.

The application references non‑Spring MVC endpoints with requestMatchers(String).

The application is not affected if any of these conditions are false:

Spring MVC is absent from the classpath.

Only servlets other than the DispatcherServlet are secured.

Only Spring MVC endpoints use requestMatchers(String).

Affected Spring Security Versions

5.8.0 – 5.8.4

6.0.0 – 6.0.4

6.1.0 – 6.1.1

Mitigation

Users of the affected versions should upgrade:

5.8.x → 5.8.5 (Spring Boot 2.7.14)

6.0.x → 6.0.5 (Spring Boot 3.0.9)

6.1.x → 6.1.2 (Spring Boot 3.1.2)

If multiple servlets are used and one is the Spring MVC DispatcherServlet, the startup may show the following message:

This method cannot decide whether these patterns are Spring MVC patterns or not.
If this endpoint is a Spring MVC endpoint, please use requestMatchers(MvcRequestMatcher);
otherwise, please use requestMatchers(AntPathRequestMatcher).

Follow the guidance in the error message. For example, replace requestMatchers(String) that points to a non‑Spring MVC endpoint with requestMatchers(new AntPathRequestMatcher("/endpoint")).

References

https://spring.io/security/cve-2023-34035

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

javaSpring BootCVEAuthorizationspring-security
Java Architecture Diary
Written by

Java Architecture Diary

Committed to sharing original, high‑quality technical articles; no fluff or promotional content.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment