The vulnerability stems from session identifiers generated in the spring-websocket module that are not cryptographically unpredictable. The result is a predictable WebSocket session ID, meaning an adversary could potentially guess or construct a valid session token and gain unauthorized access to a WebSocket connection provided that the application does not enforce stringent authorization rules. This weakness is classified as CWE‑330, which denotes weak random number generation for critical security functions. The impact can range from session hijacking to full compromise of data transmitted over a WebSocket channel, but it is limited to scenarios where an attacker can attempt a guess or enumeration attack against the session IDs.

Affected products are the Spring Framework from version 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18 and 7.0.0 through 7.0.7. Any deployment that uses the spring‑websocket module in these version ranges is vulnerable.

The CVSS score of 4.8 indicates a moderate severity level. EPSS data is not available, so the exploitation probability cannot be quantified, but the vulnerability is not listed in the CISA KEV catalog, suggesting no widely observed exploitation. The likely attack path is a network‑based attempt to guess or brute‑force a WebSocket session identifier, which would then allow the attacker to attach to an existing WebSocket session or initiate a new session if the server accepts arbitrary IDs. Successful exploitation would require that the application does not enforce proper authorization or rate‑limiting on WebSocket connections.