Spring MVC and Spring WebFlux applications are vulnerable to Server‑Sent Events stream corruption. The issue stems from improper handling of event data, causing garbled payloads to be delivered to clients. This represents a data integrity weakness, classified as CWE‑115 and CWE‑667, and can lead to incorrect application behavior or downstream services receiving malformed input. It does not provide code execution or privilege escalation, but it can degrade service quality.

The vulnerability affects the Spring Foundation core libraries used by Spring MVC and Spring WebFlux. Projects running Spring Framework versions 5.3.0 through 5.3.46, 6.1.0 through 6.1.25, 6.2.0 through 6.2.16, and 7.0.0 through 7.0.5 that expose Server‑Sent Events endpoints are at risk. Any web applications or microservices relying on Spring’s SSE support for real‑time data delivery fall within the affected scope.

The CVSS score is 2.6, indicating low severity. An EPSS score below 1% shows a very small chance of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. While the input does not specify an attack vector, it is inferred that an attacker would need to send or manipulate SSE traffic to the affected application, which would generally require some level of access to the client side or the network path. Consequently, the overall risk remains low, though malformed data could compromise information integrity if an attacker succeeds.