[GHSA-mf92-479x-3373] Spring Security HTTP Headers Are not Written Under Some Conditions

[fritzdal]

Updates

• Affected products

Comments
Adjust bounds to mirror vendor advisory https://spring.io/security/cve-2026-22732

5.7.0 - 5.7.21
5.8.0 - 5.8.23
6.3.0 - 6.3.14
6.4.0 - 6.4.14

[JonathanLEvans]

Hi @fritzdal,

The Spring advisory mixes open source and enterprise only version ranges. The version ranges in GHSA-mf92-479x-3373 are limited to those in Maven. The GitHub Advisory Database is limited to supported ecosystems.

[fritzdal]

Thank for for the added information @JonathanLEvans. This GHSA should still be amended correcting version introduced version 6.0.0 to 6.3.0

      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "6.3.0"
            },
            {
              "last_affected": "6.3.10"
            }
          ]
        }
      ]

Versions 6.3.0 to 6.3.10 are available on Maven and match vendor provided versioning as affected: https://repo1.maven.org/maven2/org/springframework/security/spring-security-web/

[JonathanLEvans]

We used the >= 6.0.0, <= 6.3.10 instead because the advisory says:

Older, unsupported versions may also be affected