This vulnerability involves improper host parsing in the UriComponentsBuilder class of the Spring Framework, leading to potential server-side request forgery (SSRF). Applications that parse and validate externally supplied URL strings using this component may be tricked into making unauthorized requests to internal or external systems. The affected versions include Spring Framework 7.0.0 through 7.0.7 and 6.2.0 through 6.2.18. The CVSS 3.1 base score is 4.2, reflecting a medium severity with network attack vector, high attack complexity, no privileges required, and user interaction needed. No vendor advisory or patch information is currently available, and no exploits have been reported in the wild.

Successful exploitation could allow an attacker to induce the vulnerable application to send crafted requests to arbitrary hosts, potentially accessing internal resources or services not intended to be reachable. The impact is limited to low confidentiality and integrity loss, with no availability impact reported. The medium severity reflects the need for user interaction and high attack complexity, reducing the likelihood of widespread exploitation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should carefully validate and sanitize any externally provided URLs before passing them to UriComponentsBuilder. Avoid relying solely on this component for host validation. Monitor vendor channels for updates and apply patches promptly once available.