Full Report
Critical vulnerabilities can exist in open source software your scanners don't check. HeroDevs reveals how EOL software creates blind spots in CVE feeds and SCA tools, and how you can receive a free end-of-life scan for your projects. [...]
Analysis Summary
# Vulnerability: Security Header Dropping in Spring Security (EOL Blind Spot)
## CVE Details
- **CVE ID:** CVE-2026-22732
- **CVSS Score:** 9.1 (Critical)
- **CWE:** Not specifically listed in article (typically associated with CWE-200: Exposure of Sensitive Information or CWE-1025: Comparison of Attributes)
## Affected Systems
- **Products:** Spring Security (Spring ecosystem)
- **Versions:**
- Official Range: 5.7.x through 7.0.x
- **Confirmed Affected (Unlisted):** Spring Security 6.2.x (reached EOL December 2025)
- **Configurations:** Servlet application configurations.
## Vulnerability Description
Technical details indicate a flaw where critical security response headers are silently dropped by the framework. These headers include:
- `Cache-Control`
- `X-Frame-Options`
- `Strict-Transport-Security` (HSTS)
- `Content-Security-Policy` (CSP)
The failure to apply these headers renders applications vulnerable to various web-based attacks, including Cross-Site Scripting (XSS), Clickjacking, and protocol downgrade attacks, despite developers having configured these protections in their code.
## Exploitation
- **Status:** Vulnerability is documented; HeroDevs has confirmed exploitation risk in EOL versions (specifically 6.2.x).
- **Complexity:** Low (Failure of automated security controls).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Potential for token theft or sensitive data exposure via caching/XSS).
- **Integrity:** High (Potential for unauthorized actions via Clickjacking).
- **Availability:** Low.
## Remediation
### Patches
- **Official:** Upgrade to supported versions of Spring Security within the 5.7.x to 7.0.x range that contain the fix (as identified by Spring maintainers in March 2026).
- **EOL Support:** Organizations running Spring Security 6.2.x (Spring Boot 3.2) must utilize HeroDevs Never-Ending-Support (NES) for backported fixes, as no official upstream patch exists for this EOL version.
### Workarounds
- Implement security headers at the web server/proxy layer (e.g., Nginx, Apache, or F5) rather than relying on the application framework level.
## Detection
- **Indicators of Compromise:** Absence of expected security headers in HTTP responses from the application.
- **Detection methods and tools:**
- Manual inspection of HTTP headers using browser dev tools or `curl -I`.
- Automated DAST (Dynamic Application Security Testing) scanners.
- HeroDevs EOL Scan or CLI tools to detect unflagged EOL dependencies in SBOMs.
## References
- **Vendor Advisories:** [https]://www.herodevs.com/eol-dataset/eol-data
- **Relevant links:** [https]://www.bleepingcomputer.com/news/security/the-eol-blind-spot-in-your-cve-feed-what-sca-tools-dont-check/
- **Research:** Sonatype 2026 State of the Software Supply Chain report.