CVE-2024-38828: 
Spring Web MVC vulnerability analysis and mitigation

A vulnerability was identified in Spring MVC controller methods that utilize @RequestBody byte[] method parameters, making them susceptible to Denial of Service (DoS) attacks. The vulnerability, tracked as CVE-2024-38828, was discovered and disclosed on November 15, 2024. The affected versions include Spring Framework versions 5.3.0 through 5.3.41, along with older unsupported versions (Spring Security).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. This scoring indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can impact system availability (NVD).

When exploited, this vulnerability can lead to Denial of Service conditions in applications using the affected Spring MVC controller methods. The impact is primarily focused on system availability, with no direct effect on confidentiality or integrity (Spring Security).

Users of affected versions should upgrade to Spring Framework version 5.3.42, which contains the fix for this vulnerability. For commercial customers using Spring Boot 2.7, a hotfix release 2.7.22.4 is available. For older, unsupported versions, applications can implement a workaround by declaring an InputStream method parameter instead of byte[] to access the request body (Spring Blog).

The vulnerability was responsibly reported by security researcher macter. It's worth noting that open source support for Spring Framework 5.3.x and 6.0.x generations ended in August 2024, and the fix has only been applied to the commercial release 5.3.42 (Spring Security).