When Spring Web Services receives a SOAP request that contains WS‑Addressing ReplyTo or FaultTo headers with non‑anonymous addresses, the framework forwards those URLs directly to its configured WebServiceMessageSender components without any verification. This flaw allows an attacker to trigger outbound HTTP(S) connections to arbitrary destinations from the application server. Such connections can enable network reconnaissance, data exfiltration, or further attacks, thereby compromising confidentiality, integrity, and potentially availability. The weakness is a Server‑Side Request Forgery and is cataloged as CWE‑918.

The vulnerability affects Spring Web Services for the following releases: 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8. All versions of the Spring Web Services product line are susceptible when WS‑Addressing with non‑anonymous ReplyTo or FaultTo addresses is enabled.

The CVSS score of 8.6 indicates high severity. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation. Attackers would need an exposed WS endpoint that accepts WS‑Addressing headers; no authentication requirement is noted, so publicly available services present the highest risk. Once triggered, the attacker can cause the application server to reach internal or external hosts that are normally inaccessible, facilitating reconnaissance, exfiltration, or lateral movement. Given the high severity and lack of default defensive checks, the overall risk for affected deployments is significant.