Overview
CVE-2018-11040 describes a JSONP (JSON with Padding) exposure issue in Spring Framework where, if a MappingJackson2JsonView is configured in an application, JSONP support can be automatically available through the jsonp and callback parameters for browser requests. This effectively allows cross-domain requests to read JSON data from the server when used with REST endpoints, enabling data exfiltration across origins. The vulnerability is categorized under CWE-829 for insecure handling that can lead to untrusted inputs influencing the response. While not enabled by default in Spring Framework or Spring Boot, enabling the vulnerable view configuration can unintentionally expose sensitive data to attacker-controlled sites via JSONP wrappers.
In real-world deployments, an application that serves JSON data to browser clients and uses a view-based approach (such as MappingJackson2JsonView) can inadvertently enable cross-domain data access if a client supplies a callback or jsonp parameter. Attackers can craft a page that loads the vulnerable endpoint with a callback function, causing the server to wrap the JSON payload in that function and return a script, which is executed in the attacker’s context. This can leak sensitive data (e.g., tokens, user identifiers) to third-party domains, constituting unwanted data exposure and privacy risk.
Remediation requires stopping JSONP exposure by upgrading to patched framework versions, removing JSONP-enabled views, or strictly using standard JSON responses. Specifically, upgrade Spring Framework to 5.0.7+ or 4.3.18+ (and align Spring Boot dependencies accordingly), and avoid registering MappingJackson2JsonView or AbstractJsonpResponseBodyAdvice in your configuration. Prefer @RestController endpoints that return POJOs or maps serialized as JSON, and implement tests to verify that endpoints do not honor jsonp/callback query parameters. After patching, validate that JSONP responses are not produced even if such parameters are supplied by a client.
Affected Versions
Spring Framework 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18, and older unsupported versions
Code Fix Example
Spring Boot API Security Remediation
/* Vulnerable vs Fixed Java example showing JSONP exposure and remediation */
public class JsonpVulnerabilityDemo {
// Vulnerable pattern: MappingJackson2JsonView can enable JSONP if callback parameter is supplied
@Controller
@RequestMapping("/jsonp")
public static class JsonpVulController {
@RequestMapping("/data")
public org.springframework.web.servlet.ModelAndView data() {
java.util.Map<String, Object> model = new java.util.HashMap<>();
model.put("token", "secret-token");
com.fasterxml.jackson.databind.jsonFormatVisitors.JsonValueVisitor none = null; // placeholder to keep snippet valid compile
org.springframework.web.servlet.view.json.MappingJackson2JsonView jsonView = new org.springframework.web.servlet.view.json.MappingJackson2JsonView();
// Vulnerable: if a client supplies ?callback=foo, response will be wrapped as JSONP
return new org.springframework.web.servlet.ModelAndView(jsonView, model);
}
}
// Fixed pattern: return a standard JSON payload via REST controller, no JSONP exposure
@org.springframework.web.bind.annotation.RestController
@org.springframework.web.bind.annotation.RequestMapping("/data")
public static class JsonpFixedController {
@org.springframework.web.bind.annotation.GetMapping("/data")
public java.util.Map<String, Object> data() {
java.util.Map<String, Object> m = new java.util.HashMap<>();
m.put("token", "secret-token");
return m;
}
}
}