Java Architecture Diary

Mar 22, 2023 · Information Security

How the '**' Pattern in Spring Security Can Bypass MVC Matching (CVE‑2023‑20860) and How to Fix It

CVE‑2023‑20860 reveals that using the '**' pattern with Spring Security’s mvcRequestMatcher can cause mismatched routing and a potential security bypass, and the advisory details affected Spring Framework versions, mitigation steps, and how to upgrade via Gradle or Maven.