Spring HATEOAS’s Collection+JSON and UBER media type deserializers use an internal utility that performs bean property binding via reflection while ignoring Jackson‑level access‑control annotations. This oversight allows an attacker to craft input that sets otherwise restricted properties on Java objects, enabling unauthorized manipulation of application state or exposure of sensitive data. The weakness is an access‑control bypass (CWE‑284) and can lead to elevated privileges or data disclosure within the application.

The vulnerability is present in Spring HATEOAS versions 1.5.0 through 1.5.6, 2.3.0 through 2.3.4, 2.4.0 through 2.4.1, 2.5.0 through 2.5.2, and 3.0.0 through 3.0.3. Any deployment that includes Spring HATEOAS and exposes Collection+JSON or UBER media types is affected.

The CVSS score of 7.5 indicates high severity, and the EPSS score is not available; this vulnerability is not listed in KEV. Attackers could exploit the flaw by sending crafted Collection+JSON or UBER payloads to any endpoint that accepts those media types, which could be performed remotely over HTTP. Because the vulnerable code bypasses Jackson annotations, the attack requires only that the application accept the request body, making the exploitation path straightforward for anyone who can influence the payload.