Security Patch - April 2024 (updated July 2024)

October 29, 2025

Vulnerabilities were uncovered on February 21st and March 15th in the Spring Framework library, tracked under the following references:  CVE-2024-22243 and CVE-2024-22259

The vulnerabilities are located in Spring, embedded in all versions of Jahia, in the parsing of externally provided URL (e.g. through a query parameter) and in the validation checks on the host of the parsed URL. This can lead to a open redirect attack or to a Server-Side Request Forgery (SSRF) attack.

At the time of writing this security patch page, there have been no exploits published.

Update (July, 2024)

In the weeks following the spring vulnerabilities, an additional CVE (CVE-2024-22262) was referenced and further changes were made, by the Spring team on the spring codebase to improve the robustness of the spring framework (here and here).

These changes have been backported into spring-web-3.2.18.jahia5_OSGI.jar (MD5: 4bdc9d50c4b6498dd326627694315bcd), we recommend customers upgrading to this version.

Impacted versions

  • All versions of Jahia (7.x or 8.x) are impacted to some extent by the vulnerability.
  • jCustomer is not affected by the vulnerability as it is not using Spring

Patch addressing the attack vector

Note for Jahia Cloud customers: the following patches will be automatically applied

The following procedure needs to be applied on each cluster node in your Jahia environment. It is however not necessary to shutdown the entire cluster, and proceed using a rolling restart (stop a node, apply the patch and restart the node while the other cluster nodes are up and running).Download the patched  spring-web-3.2.18.jahia5_OSGI.jar (MD5: 4bdc9d50c4b6498dd326627694315bcd) library

  • Stop your server / cluster node
  • Remove the spring-web-*.jar lib file from the tomcat/webapps/ROOT/WEB-INF/lib folder
  • Add the previously downloaded spring-web-3.2.18.jahia5_OSGI.jar in the tomcat/webapps/ROOT/WEB-INF/lib folder
  • Restart your server / cluster node
  • Repeat with the other cluster nodes

This procedure has been validated with Jahia 8.1.3+ releases and with Jahia 7.3.10. 

Customers using docker images for their production environment can contact Jahia Support for instructions on how to address the vulnerability.

Jahia 7.x

As Jahia 7.3 is not maintained anymore, we highly recommend upgrading to Jahia 8 and apply the above procedure.

Nevertheless, this patch is compatible with Jahia 7.3.x and was validated with Jahia 7.3.10.0

Verifying the library upgrade

You can verify if the patch is present on your environment by executing the following groovy script from Jahia Tools.

import org.springframework.web.util.UriComponentsBuilder

log.info((UriComponentsBuilder.USERINFO_PATTERN.lastIndexOf("[")>1)?"WARNING !! CVE-2024-22243 patch NOT found":"CVE-2024-22243 patch FOUND");
log.info((UriComponentsBuilder.USERINFO_PATTERN.contains("@"))?"WARNING !! CVE-2024-22259 patch NOT found":"CVE-2024-22259 patch FOUND");
log.info(!UriComponentsBuilder.USERINFO_PATTERN.contains("\\\\]")?"WARNING !! CVE-2024-22262 patch NOT found":"CVE-2024-22262 patch FOUND");

It will return "[...] patch FOUND" if the patch was applied successfully.

Please do not hesitate to reach out to Jahia Support if you have any questions or concerns.