Full Report
Critical vulnerabilities can exist in open source software your scanners don't check. HeroDevs reveals how EOL software creates blind spots in CVE feeds and SCA tools, and how you can receive a free end-of-life scan for your projects. [...]
Analysis Summary
# Vulnerability: Critical Header Dropping in Spring Security (EOL Blind Spot)
## CVE Details
- **CVE ID:** CVE-2026-22732
- **CVSS Score:** 9.1 (Critical)
- **CWE:** Not explicitly listed (suggests CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer or CWE-450: Keyword Management Errors)
## Affected Systems
- **Products:** Spring Security (often bundled via Spring Boot)
- **Versions:**
- **Official Range:** 5.7.x through 7.0.x
- **Identified EOL Version (Unlisted in official CVE):** 6.2.x
- **Configurations:** Servlet application configurations.
## Vulnerability Description
Technically, this flaw causes the application to silently drop critical security response headers. Affected headers include:
- `Cache-Control` (Privacy/Caching instructions)
- `X-Frame-Options` (Clickjacking protection)
- `Strict-Transport-Security` (HSTS - enforced HTTPS)
- `Content-Security-Policy` (XSS mitigation)
The vulnerability arises because these headers are not correctly applied to the response in specific servlet configurations, leaving the application without standard browser-side security protections.
## Exploitation
- **Status:** Vulnerability confirmed in EOL versions by HeroDevs; exploitation status in the wild not specified.
- **Complexity:** Low (Failure of security controls occurs automatically in affected configurations)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Lack of Cache-Control/HSTS can lead to credential theft or data exposure)
- **Integrity:** High (Lack of CSP/X-Frame-Options facilitates injection and UI redressing attacks)
- **Availability:** Low
## Remediation
### Patches
- **Official Upstream:** Update to supported versions beyond the 5.7.x–7.0.x range where fixes are applied.
- **EOL Support:** HeroDevs provides backported fixes for the EOL 6.2.x release line for "Never-Ending-Support" (NES) customers.
### Workarounds
- **Manual Header Injection:** Manually configure filters or reverse proxies (e.g., Nginx, Apache) to inject the missing security headers until the underlying library can be patched.
## Detection
- **Indicators of Compromise:** Unusual web traffic patterns indicating successful Clickjacking or XSS; however, the primary "indicator" is the absence of expected security headers in HTTP responses.
- **Detection Methods and Tools:**
- **Manual Verification:** Inspecting HTTP response headers using browser developer tools or `curl -I`.
- **EOL Scanning:** Specialized EOL scanners (e.g., HeroDevs CLI/dataset) are required, as standard SCA tools may fail to flag EOL versions like 6.2.x that fall outside the official CVE metadata range.
## References
- **Vendor Advisories:** Spring Security Official Advisories (Note: May omit EOL versions)
- **Relevant Links:**
- hxxps://www[.]herodevs[.]com/eol-dataset/eol-data
- hxxps://www[.]sonatype[.]com/state-of-the-software-supply-chain/2026/vulnerability-management