-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability arises from a mismatch in URI normalization between SaToken's AntPathMatcher and Spring's path resolution. SaToken's SaRouter.match() function treats '/admin/password' and '/admin/password/' as distinct paths, while Spring MVC considers them equivalent. This allows attackers to bypass authentication by appending a trailing slash to protected routes. The SaRouter.match() function is directly responsible for defining protected paths but fails to enforce consistent normalization, making it the root cause of the bypass.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| cn.dev33:sa-token-core | maven | < 1.36.0 | 1.36.0 |
JavaJavaOngoing coverage of React2Shell