[Aikido] Fix 14 security issues in spring-core, spring-webmvc, spring-web and 7 more

[aikido-autofix]

Upgrade Spring and Jetty/Netty dependencies to fix open redirect/SSRF vulnerabilities in URL parsing, HTTP request smuggling, and IPv6 access control bypass.

⚠️ Incomplete breaking changes analysis (8/11 analyzed)

⚠️ Breaking changes analysis not available for: org.eclipse.jetty:jetty-server, org.eclipse.jetty:jetty-http, io.netty:netty-handler

✅ The breaking changes in Spring Core 5.3.20 => 5.3.48 related to SimpleEvaluationContext and SpEL (Spring Expression Language) do not affect this codebase. No usage of SimpleEvaluationContext, SpEL expression parsing, or SpEL-enabled annotations was found in the codebase.

All breaking changes by upgrading org.springframework:spring-core from version 5.3.20 to 6.2.11 (CHANGELOG)

Version	Description
5.3.38	SimpleEvaluationContext does not enforce read-only semantics (#33320) - This bug fix enforces read-only semantics that were previously not enforced, which may break code that was performing write operations.
5.3.27	Disable variable assignment in SimpleEvaluationContext (#30327) - This explicitly disables variable assignment functionality that was previously available.
5.3.27	Limit SpEL expression length (#30329) - This introduces a length limit on SpEL expressions that did not exist before, potentially breaking expressions that exceed the limit.
5.3.27	Limit string concatenation in SpEL expressions (#30331) - This introduces limits on string concatenation in SpEL that did not exist before.

✅ 14 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2024-22262	HIGH	[spring-core] UriComponentsBuilder fails to properly parse externally provided URLs, allowing attackers to bypass host validation checks and perform open redirect or SSRF attacks.
CVE-2024-22243	HIGH	[spring-core] UriComponentsBuilder fails to properly validate URLs parsed from external input, allowing attackers to bypass host validation checks and potentially perform open redirect or SSRF attacks.
CVE-2024-22259	HIGH	[spring-core] UriComponentsBuilder fails to properly parse externally provided URLs, allowing attackers to bypass host validation checks and conduct open redirect or SSRF attacks.
CVE-2025-41249	MEDIUM	[spring-core] Spring Framework's annotation detection may fail to resolve security annotations on methods in generic superclasses, potentially bypassing authorization checks when using Spring Security's @EnableMethodSecurity feature.
CVE-2024-38820	MEDIUM	[spring-core] The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
AIKIDO-2024-10361	LOW	[spring-core] A locale-dependent case sensitivity flaw in string handling allows attackers to bypass security checks by exploiting inconsistent case conversion across different locales. This vulnerability can lead to improper field protection and unauthorized access to restricted functionality.
CVE-2024-38809	LOW	[spring-core] ETag parsing from "If-Match" or "If-None-Match" request headers is vulnerable to denial of service attacks through unbounded header processing.
CVE-2026-2332	HIGH	[jetty-server] The HTTP/1.1 parser incorrectly handles chunk extensions with unclosed quoted strings, terminating parsing at \r\n instead of treating it as an error, enabling HTTP request smuggling attacks. This allows attackers to inject malicious requests that bypass security controls.
CVE-2025-11143	MEDIUM	[jetty-server] URI parser interprets invalid or unusual URIs differently than other common parsers, potentially allowing security bypasses when multiple components parse URIs inconsistently or disclosing implementation details through differential parsing behavior.
CVE-2024-6763	MEDIUM	[jetty-server] Insufficient validation of URI authority segments in HttpURI can cause host extraction discrepancies between Jetty and browsers, enabling open redirect or SSRF attacks when combined with vulnerable browsers.
CVE-2026-44249	HIGH	[netty-handler] An incorrect masking operation in IPv6 subnet filtering allows attackers to bypass access control rules by using valid public IP addresses that should be restricted. This vulnerability enables unauthorized access through an access control bypass.
AIKIDO-2026-10571	MEDIUM	[spring-core] Static resource handling on Windows is vulnerable to uncontrolled resource consumption when resolving crafted requests, allowing attackers to exhaust HTTP connections and cause denial of service.
AIKIDO-2024-10363	LOW	[spring-core] A locale-dependent case sensitivity flaw in string handling allows attackers to bypass security checks by exploiting inconsistent case conversion across different locales. This vulnerability can lead to improper field protection and unauthorized access to restricted functionality.
CVE-2026-47244	MEDIUM	[netty-codec-http2] HTTP/2 servers fail to advertise or enforce stream limits by default, allowing attackers to create hundreds of thousands of streams on a single connection, causing memory exhaustion and enabling Rapid-Reset amplification attacks (DoS).

🔗 Related Tasks

• https://aikido.atlassian.net/browse/AIK-14799

[aikido-pr-checks]

4 Open source vulnerabilities detected - medium severity
Aikido detected 4 vulnerabilities across 1 package, it includes 2 medium and 2 low vulnerabilities.

Details

Remediation Aikido suggests bumping the vulnerable packages to a safe version.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.}
More info

[aikido-autofix]

Closed by Aikido: a new AutoFix has been created → #303