CVE-2024-38821 - Static Resource Authorization Bypass in Spring WebFlux Explained

Spring is widely used for building Java web applications, and Spring WebFlux is its reactive, non-blocking web framework. One of the critical tasks in web applications is managing access to static resources – like CSS, JS, and image files – often protected by authorization rules.

In June 2024, a significant security vulnerability was identified in Spring WebFlux:
CVE-2024-38821 allows attackers to bypass Spring Security authorization rules on static resources in certain conditions. If your app serves any static content and restricts access with Spring Security, you should pay close attention.

This post dives deep – in plain English – into how this vulnerability works and how you can protect your users.

[Official References](#refs)

You use Spring WebFlux (not classic Spring MVC)

- You serve static resources via Spring’s static resource support (e.g., /static/, /css/, /js/)
- You apply authorization rules (not permitAll) to static resources (for example, you only want logged-in users to access images)

If you use permitAll() on all static resources, this bug won’t affect you – but many applications lock down documentation, media, or admin-only resources.

How the Attack Works

Spring's configuration lets you apply security controls to HTTP URL patterns. Modern web apps sometimes serve user-uploaded media, sensitive docs, or other files, and restrict access based on user authentication. For example:

// Example security config (WebFlux)
@Override
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
    http
        .authorizeExchange()
            .pathMatchers("/private/**").authenticated() // restrict
            .pathMatchers("/public/**").permitAll()      // allow
            .anyExchange().denyAll();                    // all else denied
    return http.build();
}

But—due to a subtle bug in Spring WebFlux's handling of static resources—some requests could sneak past these checks.

Why?

- Requests for static resources are handled by Spring’s ResourceWebHandler/DispatcherHandler.
- Under some circumstances, especially with complex path patterns, requests might bypass SecurityWebFilterChain evaluation and directly access static files—ignoring your rules.

For instance, an attacker may craft URLs with special path values or encodings that confuse the security filter, tricking it into allowing unauthorized access.

Real-World Example

Suppose /private/images/logo.png should only be seen by authenticated users. But, by exploiting this bug, a clever request such as:

GET /private/../private/images/logo.png

Or an encoded variant like

GET /private/%2e%2e/private/images/logo.png

could bypass your security controls—leaking sensitive static content.

Sample Exploit – Code and Requests

Let’s walk through a simple vulnerable app and how it can be exploited.

Setup – Spring WebFlux Security Config

@EnableWebFluxSecurity
public class SecurityConfig {

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        http
            .authorizeExchange()
               // Restrict static resources!
               .pathMatchers("/static/**").authenticated()
            .anyExchange().permitAll();
        return http.build();
    }
}

Static Resources: /static/* served by default with Spring Boot

Normal request (denied if not logged in)

GET /static/secrets.txt

Responds with 401 Unauthorized

Exploit request (bypasses security!)

GET /static/%2e%2e/static/secrets.txt

Or with a double slash

GET /static//secrets.txt

Or on Windows, a backslash (rare but possible).

In affected versions, this request returns 200 OK with the file – even if not logged in!

Patch Your Dependencies:

- Update to Spring Framework 6.1.7 or later.
- For older versions, upgrade to 5.3.33+.

Test Your App:

- Try .., encoded characters, duplicated/trailing slashes in your static resource URLs.

Extra: Disable Static Resource Handling

- If you never need to lock down static content, consider serving files via code rather than default resource handlers.

Official References

- Spring Vulnerability Announcement (CVE-2024-38821)
- GitHub Advisory: GHSA-x7v9-4rgq-r3w8
- Spring Framework Release Notes

Summary

CVE-2024-38821 is a dangerous bypass—for many real-world APIs and admin dashboards, this could expose sensitive content to unauthenticated attackers. If you use Spring WebFlux with custom security on static resources, update _immediately_ and audit all access control on files.

Questions? See the Spring security docs or file a ticket with your security team.

Stay safe, keep dependencies fresh, and always double-check what's really behind every URL in your app!

Timeline

Published on: 10/28/2024 07:15:07 UTC
Last modified on: 10/28/2024 13:58:09 UTC