Spring-web Java Deserialization: CVE-2016-1000027

  • Updated


Why is CVE-2016-1000027 listed for all spring-web versions when MITRE indicates only 4.1.4 as being vulnerable?

Pivotal Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.


Vulnerability breakdown

Affected package: org.springframework/spring-web

This vulnerability makes it possible to exploit deserialization of untrusted data, ultimately leading to Remote Code Execution (RCE).

The root cause is the readRemoteInvocation method within the HttpInvokerServiceExporter.class does not sufficiently restrict or verify untrusted objects prior to deserializing them.


Information discrepancy with NVD

For a time, NVD was only listing version 4.1.4 as vulnerable, whereas we were listing all versions as vulnerable. This decision was based off the latest information from the Spring Framework developers, and had yet to be communicated to/updated by NVD.

NVD have since addressed this, and began to list all of the then available Spring Framework versions as vulnerable.



Whilst for a time there was considered no fix for this vulnerability, this has now been fixed with the release of Spring Framework version 6.0.0.

For further reading on this CVE-2016-1000027 Spring Framework, please refer to our glossary page: https://www.contrastsecurity.com/glossary/cve-2016-1000027

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request