AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2014-0054: The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not

infovulnerability

security

Source: NVD/CVE DatabaseApril 17, 2014CVE-2014-0054

Summary

Spring Framework versions before 3.2.8 and 4.0.x before 4.0.2 contain a vulnerability in their XML handling component that fails to disable external entity resolution, allowing attackers to read files, cause service disruptions, and perform CSRF attacks (cross-site request forgery, where an attacker tricks you into performing unwanted actions on a website you're logged into) through malicious XML input. This is an XXE (XML External Entity) vulnerability, a flaw where an application processes external references in XML files unsafely.

Solution / Mitigation

Update Spring Framework to version 3.2.8 or later, or update Spring Framework 4.0.x to version 4.0.2 or later.

Vulnerability Details

CVSS Score

6.8

EPSS (30-day exploit probability)

EPSS: 34.6%

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-352

Original source: https://nvd.nist.gov/vuln/detail/CVE-2014-0054

First tracked: February 15, 2026 at 08:43 PM

Classified by LLM (prompt v3) · confidence: 95%