The Spring Framework’s JavaScriptUtils.javaScriptEscape method fails to properly escape characters that can break out of a JavaScript context, allowing an attacker to inject arbitrary JavaScript when the escaped string is rendered in a browser. This flaw can be leveraged to execute malicious scripts in the victim’s browser, compromising confidentiality or integrity of the user’s session data, or facilitating further phishing or credential theft. The underlying weakness is an input validation error, identified as CWE‑79, leading to a classic reflected XSS scenario where untrusted data is included in client‑side output without appropriate sanitization.

Applications built on Spring Framework versions 7.0.0‑7.0.7, 6.2.0‑6.2.18, 6.1.0‑6.1.27, and 5.3.0‑5.3.48 are vulnerable. This includes any projects that depend on these releases of the framework and utilize JavaScriptUtils for escaping strings in views or other client‑side outputs.

The CVSS score of 7.1 indicates a high severity level, and while the EPSS score is not available, the fact that a standard browser context is required for exploitation suggests that this vulnerability could be widely used by attackers who can persuade users to visit a malicious link or embed the payload in a web page. It is not currently listed in the CISA KEV catalog, but the presence of a client‑side flaw with no authentication or privilege checks means that any user of the affected application is a potential victim. Exploitation requires only that the vulnerable method is called with attacker‑controlled data that is subsequently sent to the browser; no additional credentials are needed.