Overview
In CVE-2018-11040, older Spring Framework versions (5.0.x before 5.0.7 and 4.3.x before 4.3.18, plus older unsupported releases) could be exploited to enable cross-domain requests via JSONP (JSON with Padding). The vulnerability arises when a Spring MVC application configures a JSON view (such as MappingJackson2JsonView) to render JSON responses, and the framework can wrap those responses in a JavaScript function when a JSONP callback parameter is present. This effectively allows a malicious third-party page to read data from your API by embedding a script tag that invokes a callback function, potentially leaking sensitive information across origins. The weakness is categorized under CWE-829: Exposure of Sensitive Information due to insecure configuration. The Spring project published patches to address this behavior, and patches exist for the affected versions. In a Spring Boot context, this misconfiguration can occur if an application explicitly registers a JSON view as a default or global view, enabling JSONP even when the application otherwise serves pure JSON to legitimate clients. Upgrading to patched Spring Framework versions or removing the problematic JSON view configuration are the primary fixes. If JSONP is not required, rely on standard JSON responses and implement CORS and proper access controls instead.
Affected Versions
Spring Framework 5.0.x prior to 5.0.7; Spring Framework 4.3.x prior to 4.3.18; older unsupported versions. The issue is exposed when MappingJackson2JsonView (or equivalent) is configured in a Spring Boot app.
Code Fix Example
Spring Boot API Security Remediation
// Vulnerable pattern (JSONP enabled via MappingJackson2JsonView)
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.View;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.json.MappingJackson2JsonView;
import org.springframework.web.servlet.view.ContentNegotiatingViewResolver;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
@RestController
public class DataController {
@GetMapping("/data")
public Map<String, String> data() {
Map<String, String> map = new HashMap<>();
map.put("secret", "sensitive-value");
return map;
}
}
}
@Configuration
class JsonpVulnerableConfig {
@Bean
public ContentNegotiatingViewResolver contentNegotiatingViewResolver() {
ContentNegotiatingViewResolver resolver = new ContentNegotiatingViewResolver();
List<View> defaultViews = new ArrayList<>();
// Vulnerable: enabling JSONP by registering MappingJackson2JsonView as a default view
defaultViews.add(new MappingJackson2JsonView());
resolver.setDefaultViews(defaultViews);
return resolver;
}
}
// Fixed pattern (JSONP disabled by removing JSON view)
package com.example.demo;
@Configuration
class JsonpFixedConfig {
@Bean
public ContentNegotiatingViewResolver contentNegotiatingViewResolverFixed() {
ContentNegotiatingViewResolver resolver = new ContentNegotiatingViewResolver();
// Do not register JSONP-enabled JSON view; rely on @RestController/@ResponseBody for JSON only
resolver.setDefaultViews(new ArrayList<>());
return resolver;
}
}