[GHSA-mf92-479x-3373] Spring Security HTTP Headers Are not Written Under Some Conditions

[fritzdal]

Updates

• Affected products

Comments
Adjust bounds to mirror vendor advisory https://spring.io/security/cve-2026-22732

5.7.0 - 5.7.21
5.8.0 - 5.8.23
6.3.0 - 6.3.14
6.4.0 - 6.4.14

[JonathanLEvans]

Hi @fritzdal,

The Spring advisory mixes open source and enterprise only version ranges. The version ranges in GHSA-mf92-479x-3373 are limited to those in Maven. The GitHub Advisory Database is limited to supported ecosystems.

[fritzdal]

Thank for for the added information @JonathanLEvans. This GHSA should still be amended correcting version introduced version 6.0.0 to 6.3.0

      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "6.3.0"
            },
            {
              "last_affected": "6.3.10"
            }
          ]
        }
      ]

Versions 6.3.0 to 6.3.10 are available on Maven and match vendor provided versioning as affected: https://repo1.maven.org/maven2/org/springframework/security/spring-security-web/

[JonathanLEvans]

We used the >= 6.0.0, <= 6.3.10 instead because the advisory says:

Older, unsupported versions may also be affected

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.