Spring Security’s CookieRequestCache stores the full absolute URL the user attempted to access before authentication in a cookie and then uses that value to redirect the user after login without any validation. This flaw allows an attacker to craft a malicious link that, when clicked, redirects the user to a target site of the attacker’s choosing immediately after they log in, potentially facilitating phishing or credential theft attacks. The weakness corresponds to CWE‑601, an input validation flaw that permits construction of disallowed URLs.

The vulnerability affects Spring Security in several releases: versions 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, 6.5.0 through 6.5.10, and 7.0.0 through 7.0.5. All deployed instances of the affected Spring applications that rely on CookieRequestCache for redirecting after login are susceptible.

The CVSS score of 6.1 reflects a medium severity open redirect. The EPSS score is not available, so the historical exploitation probability cannot be inferred. The vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed public exploits as of the last update. Attackers can exploit the flaw by instructing users to visit a specially crafted URL that triggers the redirect after authentication, making a noticeable attack vector that does not require privileged access or advanced technical skill.