CVE-2023-20860

Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch

Description

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Patch Available

Fix available through Seal Security.  
No upgrade required, protect your application instantly.

Fix without upgrading

Score

9.1

Severity

Critical

Ecosystem

Java

Publish Date

March 27, 2023

Modified Date

September 23, 2025

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected Versions