Spring Security Authorization Server’s authorization endpoint fails to validate the request_uri parameter, allowing an attacker to supply a malicious request_uri together with an arbitrary redirect_uri. The resulting open redirect can send users to attacker-controlled sites, facilitating phishing or credential‑stealing attacks. This vulnerability is a classic example of CWE‑601 and impacts confidentiality and user trust. The CVSS score of 6.1 reflects a moderate severity, indicating that an attacker can cause potentially harmful redirection if the redirection is used for malicious purposes. The EPSS score is not available and the issue is not listed in CISA KEV.

Affected are Spring Authorization Server versions from 1.5.0 to 1.5.7 and Spring Security versions from 7.0.0 to 7.0.5. These versions are used by applications that rely on Spring’s OAuth2 implementations for authentication and authorization flow. The redirect logic is part of the public authorization endpoint, which is reachable over the internet by design, so any exposed instance of these packages is vulnerable.

The likely attack vector is a crafted HTTP request to the public authorization endpoint. A successful exploitation requires the attacker to supply an invalid request_uri and a valid redirect_uri; if the system accepts this combination, users will be redirected to an attacker-controlled URL. Given the lack of EPSS data, the exact exploit probability is unknown, but the fact that the flaw allows arbitrary redirects indicates a potentially high impact if referenced in spear‑phishing campaigns. Since the vulnerability is not listed in the KEV catalog, there is no evidence of public exploitation, but the theoretical risk remains significant for exposed services.