AIKIDO-2026-10162
spring is vulnerable to Exposure of Data Element to Wrong Session
21
Low Risk
This Affects:
springTL;DR
Affected versions of this package allowed Spring to leak environment variables across client invocations due to inconsistent handling of spawn_on_env, causing forked applications to inherit server-side ENV values even when clients did not request them. It could silently boot applications with unintended configuration while masking the issue by cleaning the ENV only after attachment. An attacker with the ability to influence the Spring server’s environment (or execute a prior trusted command) could persist sensitive or security-relevant variables across subsequent runs, potentially enabling configuration manipulation, secret exposure, or bypassing environment-based security controls.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
spring is vulnerable to Exposure of Data Element to Wrong Session in versions 4.2.0 - 4.4.1.
How to fix this
Upgrade the spring library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant