An attacker can craft a URL that triggers a 302 redirect to any external host by exploiting Spring MVC or Spring WebFlux applications that map / without an explicit view name. This open redirect flaw—classified as CWE‑601—enables malicious parties to lure users into visiting phishing sites or to load malicious content. The impact includes credential theft, social engineering, or facilitating later attacks, but it does not allow direct code execution or data exfiltration from the affected server.

The flaw is present in the Spring Framework across multiple releases. Users deploying 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, or 5.3.0 through 5.3.48 are vulnerable. Any application built on these versions and using a catch‑all / mapping without a fixed view name is impacted.

The CVSS score of 4.2 indicates moderate risk, while the EPSS score is currently unavailable, so the current likelihood of exploitation is uncertain. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit it by embedding malicious URLs in emails, forums, or social media, then directing users to a crafted link that performs an uncontrolled redirect. No additional preconditions such as elevated privileges are required; the attack can occur simply through user interaction with the crafted link.