Spring and Nacos Security Vulnerabilities and Mitigation Guide

Recent disclosures revealed two critical security issues in the Spring framework and one in Nacos. Spring suffers from a DoS vulnerability (CVE‑2024‑38809) triggered by oversized If‑Match or If‑None‑Match headers, and another DoS via malicious SpEL expressions (CVE‑2024‑38808). Nacos 2.4.1 contains an arbitrary file read/write flaw caused by Jraft requests on port 7848.

Spring CVE‑2024‑38809

Affected Spring versions: 6.1.0‑6.1.11, 6.0.0‑6.0.22, 5.3.0‑5.3.37, and all older releases.

Mitigation: upgrade to the patched versions:

Vulnerable version

Patched version

6.1.x

6.1.12

6.0.x

6.0.23

5.3.x

5.3.38

If upgrading is not possible, add a servlet filter to limit the size of the If‑Match and If‑None‑Match headers.

Spring CVE‑2024‑38808

All 5.3.0‑5.3.38 releases and earlier are vulnerable to DoS via crafted SpEL expressions.

Mitigation: upgrade to Spring 5.3.38+ or any 6.0+ release. Avoid evaluating user‑supplied SpEL; when evaluation is required, use SimpleEvaluationContext in read‑only mode.

Overall Spring safe versions

Vulnerable version

Patched version

6.1.x

6.1.12

6.0.x

6.0.23

5.3.x

5.3.39

Upgrade your Spring Boot dependencies accordingly; versions below 3.1.x are no longer maintained, and the latest 3.2.x+ should be used.

Nacos vulnerability

The flaw affects only port 7848, used for Raft communication between Nacos nodes. External access to this port enables arbitrary file read/write.

Mitigation:

Upgrade Nacos to 2.4.1.

For older versions, block external traffic to port 7848 with a firewall.

Version 2.4.1 also tightens Derby OPS SQL permissions, reducing attack surface.

Staying up‑to‑date with these patches is essential for maintaining a secure Java technology stack.