[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2023-20861":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":93,"aliases":94,"duplicate_of":9,"upstream":96,"downstream":97,"duplicates":110,"related":111,"reserved_at":9,"published_at":112,"modified_at":113,"state":114,"summary":115,"references_raw":124,"kevs":163,"epss":164,"epss_history":167,"metrics":428,"affected":436},"CVE-2023-20861","In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.",null,[11,18],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":9,"likelihood_of_exploit":9,"capec":17},"NVD-CWE-NOINFO","Insufficient Information","NVD uses this CWE ID when there is insufficient information to assign a specific CWE.","placeholder","NVD-Reserved",[],{"_key":19,"id":19,"name":20,"description":21,"type":22,"status":23,"abstraction":24,"likelihood_of_exploit":25,"capec":26},"CWE-400","Uncontrolled Resource Consumption","The product does not properly control the allocation and maintenance of a limited resource.","weakness","Draft","Class","High",[27,31,89],{"id":28,"name":29,"techniques":30},"CAPEC-147","XML Ping of the Death",[],{"id":32,"name":33,"techniques":34},"CAPEC-227","Sustained Client Engagement",[35],{"id":36,"name":37,"tactics":38,"countermeasures":42},"T1499","Endpoint Denial of Service",[39],{"id":40,"name":41},"TA0105","Impact",[43,48,52,56,60,64,68,72,76,80,85],{"id":44,"name":45,"tactic":46},"D3-UGLPA","User Geolocation Logon Pattern Analysis",{"name":47},"Detect",{"id":49,"name":50,"tactic":51},"D3-PMAD","Protocol Metadata Anomaly Detection",{"name":47},{"id":53,"name":54,"tactic":55},"D3-CSPP","Client-server Payload Profiling",{"name":47},{"id":57,"name":58,"tactic":59},"D3-PHDURA","Per Host Download-Upload Ratio Analysis",{"name":47},{"id":61,"name":62,"tactic":63},"D3-NTSA","Network Traffic Signature Analysis",{"name":47},{"id":65,"name":66,"tactic":67},"D3-APCA","Application Protocol Command Analysis",{"name":47},{"id":69,"name":70,"tactic":71},"D3-NTCD","Network Traffic Community Deviation",{"name":47},{"id":73,"name":74,"tactic":75},"D3-RTSD","Remote Terminal Session Detection",{"name":47},{"id":77,"name":78,"tactic":79},"D3-ISVA","Inbound Session Volume Analysis",{"name":47},{"id":81,"name":82,"tactic":83},"D3-NTF","Network Traffic Filtering",{"name":84},"Isolate",{"id":86,"name":87,"tactic":88},"D3-ITF","Inbound Traffic Filtering",{"name":84},{"id":90,"name":91,"techniques":92},"CAPEC-492","Regular Expression Exponential Blowup",[],[],[95],"GHSA-564r-hj7v-mcr5",[],[98,100,102,104,106,108],{"_key":99},"RHSA-2023:3771",{"_key":101},"RHSA-2023:3622",{"_key":103},"DEBIAN-CVE-2023-20861",{"_key":105},"UBUNTU-CVE-2023-20861",{"_key":107},"RHSA-2023:3610",{"_key":109},"RHSA-2024:0778",[],[],"2023-03-23T00:00:00.000Z","2025-02-25T15:38:17.844Z","Modified",{"cisa_kev":116,"cisa_ransomware":116,"cisa_vendor":9,"epss_severity":117,"epss_score":118,"severity":119,"severity_score":120,"severity_version":121,"severity_source":122,"severity_vector":123,"severity_status":114},false,"low",0.00542,"medium",6.5,"v3.1","nvd","CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",[125,133,137,142,146,150,154,159],{"url":126,"sources":127,"tags":130},"https://spring.io/security/cve-2023-20861",[128,122,129],"cve.org","osv_maven",[131,132],"Vendor Advisory","WEB",{"url":134,"sources":135,"tags":136},"https://security.netapp.com/advisory/ntap-20230420-0007/",[128,122],[],{"url":138,"sources":139,"tags":140},"https://nvd.nist.gov/vuln/detail/CVE-2023-20861",[129],[141],"Advisory",{"url":143,"sources":144,"tags":145},"https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1",[129],[132],{"url":147,"sources":148,"tags":149},"https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f",[129],[132],{"url":151,"sources":152,"tags":153},"https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5",[129],[132],{"url":155,"sources":156,"tags":157},"https://github.com/spring-projects/spring-framework",[129],[158],"PACKAGE",{"url":160,"sources":161,"tags":162},"https://security.netapp.com/advisory/ntap-20230420-0007",[129],[132],[],{"date":165,"score":118,"percentile":166},"2026-06-04",0.68052,[168,172,175,178,181,184,187,190,193,196,199,202,204,207,210,214,217,220,223,226,229,232,234,237,240,243,246,249,252,255,258,261,264,266,269,271,273,276,279,282,285,288,291,294,297,300,303,306,309,312,315,318,321,324,327,330,333,335,338,341,344,347,350,353,356,359,361,363,366,368,371,374,376,379,381,385,388,391,394,397,400,403,406,409,412,415,418,421,423,425],{"date":169,"score":170,"percentile":171},"2025-11-04",0.00341,0.56217,{"date":173,"score":170,"percentile":174},"2025-11-05",0.56179,{"date":176,"score":170,"percentile":177},"2025-11-06",0.56188,{"date":179,"score":170,"percentile":180},"2025-11-07",0.5621,{"date":182,"score":170,"percentile":183},"2025-11-08",0.56214,{"date":185,"score":170,"percentile":186},"2025-11-09",0.56204,{"date":188,"score":170,"percentile":189},"2025-11-10",0.56176,{"date":191,"score":170,"percentile":192},"2025-11-11",0.5619,{"date":194,"score":170,"percentile":195},"2025-11-12",0.56215,{"date":197,"score":170,"percentile":198},"2025-11-13",0.56223,{"date":200,"score":170,"percentile":201},"2025-11-14",0.56226,{"date":203,"score":170,"percentile":171},"2025-11-15",{"date":205,"score":170,"percentile":206},"2025-11-16",0.562,{"date":208,"score":170,"percentile":209},"2025-11-17",0.56194,{"date":211,"score":212,"percentile":213},"2025-11-18",0.00473,0.62069,{"date":215,"score":212,"percentile":216},"2025-11-19",0.62085,{"date":218,"score":212,"percentile":219},"2025-11-20",0.62074,{"date":221,"score":170,"percentile":222},"2025-11-21",0.56207,{"date":224,"score":170,"percentile":225},"2025-11-22",0.56201,{"date":227,"score":170,"percentile":228},"2025-11-23",0.56177,{"date":230,"score":170,"percentile":231},"2025-11-24",0.56172,{"date":233,"score":170,"percentile":228},"2025-11-25",{"date":235,"score":170,"percentile":236},"2025-11-26",0.56181,{"date":238,"score":170,"percentile":239},"2025-11-27",0.56184,{"date":241,"score":170,"percentile":242},"2025-11-28",0.5616,{"date":244,"score":170,"percentile":245},"2025-11-29",0.56147,{"date":247,"score":170,"percentile":248},"2025-11-30",0.56137,{"date":250,"score":170,"percentile":251},"2025-12-01",0.56292,{"date":253,"score":170,"percentile":254},"2025-12-02",0.56308,{"date":256,"score":170,"percentile":257},"2025-12-03",0.56305,{"date":259,"score":170,"percentile":260},"2025-12-04",0.56141,{"date":262,"score":170,"percentile":263},"2025-12-05",0.56156,{"date":265,"score":170,"percentile":263},"2025-12-06",{"date":267,"score":170,"percentile":268},"2025-12-07",0.56154,{"date":270,"score":170,"percentile":263},"2025-12-08",{"date":272,"score":170,"percentile":189},"2025-12-09",{"date":274,"score":170,"percentile":275},"2025-12-10",0.56235,{"date":277,"score":170,"percentile":278},"2025-12-11",0.56259,{"date":280,"score":170,"percentile":281},"2025-12-12",0.56285,{"date":283,"score":170,"percentile":284},"2025-12-13",0.5628,{"date":286,"score":170,"percentile":287},"2025-12-14",0.56278,{"date":289,"score":170,"percentile":290},"2025-12-15",0.56266,{"date":292,"score":170,"percentile":293},"2025-12-16",0.56277,{"date":295,"score":170,"percentile":296},"2025-12-17",0.56296,{"date":298,"score":170,"percentile":299},"2025-12-18",0.56338,{"date":301,"score":170,"percentile":302},"2025-12-19",0.56344,{"date":304,"score":170,"percentile":305},"2025-12-20",0.56337,{"date":307,"score":170,"percentile":308},"2025-12-21",0.56316,{"date":310,"score":170,"percentile":311},"2025-12-22",0.56298,{"date":313,"score":170,"percentile":314},"2025-12-23",0.56304,{"date":316,"score":170,"percentile":317},"2025-12-24",0.56311,{"date":319,"score":170,"percentile":320},"2025-12-25",0.56358,{"date":322,"score":170,"percentile":323},"2025-12-26",0.56354,{"date":325,"score":170,"percentile":326},"2025-12-27",0.56405,{"date":328,"score":170,"percentile":329},"2025-12-28",0.56319,{"date":331,"score":170,"percentile":332},"2025-12-29",0.56307,{"date":334,"score":170,"percentile":257},"2025-12-30",{"date":336,"score":170,"percentile":337},"2025-12-31",0.56322,{"date":339,"score":170,"percentile":340},"2026-01-01",0.56491,{"date":342,"score":170,"percentile":343},"2026-01-02",0.56472,{"date":345,"score":170,"percentile":346},"2026-01-03",0.56464,{"date":348,"score":170,"percentile":349},"2026-01-04",0.56291,{"date":351,"score":170,"percentile":352},"2026-01-05",0.56282,{"date":354,"score":170,"percentile":355},"2026-01-06",0.5629,{"date":357,"score":170,"percentile":358},"2026-01-07",0.56317,{"date":360,"score":170,"percentile":305},"2026-01-08",{"date":362,"score":170,"percentile":305},"2026-01-09",{"date":364,"score":170,"percentile":365},"2026-01-10",0.56336,{"date":367,"score":170,"percentile":317},"2026-01-11",{"date":369,"score":170,"percentile":370},"2026-01-12",0.56272,{"date":372,"score":170,"percentile":373},"2026-01-13",0.56246,{"date":375,"score":170,"percentile":355},"2026-01-14",{"date":377,"score":170,"percentile":378},"2026-01-15",0.56294,{"date":380,"score":170,"percentile":308},"2026-01-16",{"date":382,"score":383,"percentile":384},"2026-01-17",0.00364,0.57937,{"date":386,"score":383,"percentile":387},"2026-01-18",0.57932,{"date":389,"score":383,"percentile":390},"2026-01-19",0.57917,{"date":392,"score":383,"percentile":393},"2026-01-20",0.57924,{"date":395,"score":383,"percentile":396},"2026-01-21",0.57928,{"date":398,"score":383,"percentile":399},"2026-01-22",0.57927,{"date":401,"score":383,"percentile":402},"2026-01-23",0.57964,{"date":404,"score":383,"percentile":405},"2026-01-24",0.57973,{"date":407,"score":383,"percentile":408},"2026-01-25",0.57936,{"date":410,"score":383,"percentile":411},"2026-01-26",0.57919,{"date":413,"score":383,"percentile":414},"2026-01-27",0.57929,{"date":416,"score":383,"percentile":417},"2026-01-28",0.57934,{"date":419,"score":383,"percentile":420},"2026-01-29",0.57935,{"date":422,"score":383,"percentile":408},"2026-01-30",{"date":424,"score":383,"percentile":384},"2026-01-31",{"date":426,"score":383,"percentile":427},"2026-02-01",0.58084,[429,434],{"source":122,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":430,"cvss_v4_0":9},{"baseScore":120,"baseSeverity":431,"vectorString":123,"impactScore":432,"exploitabilityScore":433},"MEDIUM",6,7.2,{"source":129,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":435,"cvss_v4_0":9},{"baseScore":120,"baseSeverity":9,"vectorString":123,"impactScore":432,"exploitabilityScore":433},[437,459],{"ecosystem":438,"name":439,"vendor":440,"product":441,"cpe_part":9,"purl_type":442,"purl_namespace":440,"purl_name":441,"source":9,"versions":443},"Maven","org.springframework:spring-expression","org.springframework","spring-expression","maven",[444,452,456],{"version":445,"is_range":446,"range_type":447,"version_start":448,"version_start_type":449,"version_end":450,"version_end_type":451,"fixed_in":9},"gte6_0_0_lt6_0_7",true,"ecosystem","6.0.0","including","6.0.7","excluding",{"version":453,"is_range":446,"range_type":447,"version_start":454,"version_start_type":449,"version_end":455,"version_end_type":451,"fixed_in":9},"gte5_3_0_lt5_3_26","5.3.0","5.3.26",{"version":457,"is_range":446,"range_type":447,"version_start":9,"version_start_type":9,"version_end":458,"version_end_type":451,"fixed_in":9},"lt5_2_23_RELEASE","5.2.23.RELEASE",{"ecosystem":9,"name":460,"vendor":9,"product":460,"cpe_part":9,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":461},"Spring Framework",[462,466,469],{"version":463,"is_range":446,"range_type":464,"version_start":9,"version_start_type":9,"version_end":465,"version_end_type":449,"fixed_in":9},"lte5.2.22","cpe","5.2.22",{"version":467,"is_range":446,"range_type":464,"version_start":454,"version_start_type":449,"version_end":468,"version_end_type":449,"fixed_in":9},"gte5.3.0_lte5.3.25","5.3.25",{"version":470,"is_range":446,"range_type":464,"version_start":448,"version_start_type":449,"version_end":471,"version_end_type":449,"fixed_in":9},"gte6.0.0_lte6.0.6","6.0.6"]