Exploit for CVE-2024-38819

Name: Exploit for CVE-2024-38819
Rating: 5 (13 reviews)
2026-06-17 | CVSS 7.5
## https://sploitus.com/exploit?id=A3592ABD-E61F-5364-B002-A96843C8D65B
# CVE-2024-38819 Customer Vault Lab

This is a Cloud Foundry-ready Spring Boot demo for CVE-2024-38819, a Spring Framework path traversal vulnerability in functional static resource handling.

## What Is Patched?

CVE-2024-38819 is patched in **Spring Framework**, not directly in Spring Boot.

Spring Boot is still important in the demo because it manages the Spring Framework dependency versions used by the application. In other words, a Spring Boot maintenance release can bring in the fixed Framework version for you, but the vulnerable code path and the security fix are in Spring Framework's WebFlux/WebMvc functional static resource handling.

The app presents a small customer document vault UI. Public documents are served from `/files/**` using WebFlux.fn `RouterFunctions.resources(...)` with a `FileSystemResource`, which matches the vulnerable conditions in the Spring advisory. At startup the app creates:

- a public document directory
- a fake secret outside that public directory
- a symlink used by the proof request to demonstrate traversal

The secret is generated by the app and contains no real credentials.

## Versions

This lab intentionally keeps Spring Boot at `3.3.4` in both modes and changes only the managed Spring Framework version:

| Mode | Spring Boot | Spring Framework | Artifact |
| --- | --- | --- | --- |
| Vulnerable | `3.3.4` | `6.1.13` | `target/cve-2024-38819-vulnerable.jar` |
| Patched | `3.3.4` | `6.1.14` | `target/cve-2024-38819-patched.jar` |

The `patched` Maven profile sets:

```xml
6.1.14
```

Without that profile, Spring Boot `3.3.4` manages Spring Framework `6.1.13`, which is the vulnerable version used for the demo.

## Build Artifacts

Build both demo artifacts:

```bash
scripts/build-artifacts.sh
```

This creates two distinct deployable jars:

```text
target/cve-2024-38819-vulnerable.jar
target/cve-2024-38819-patched.jar
```

## Local Run

```bash
mvn spring-boot:run
```

Open:

```text
http://127.0.0.1:8080
```

Run the constrained proof:

```bash
python3 scripts/prove-secret-exposure.py --expect vulnerable
```

Expected vulnerable result:

```text
RESULT: vulnerable behavior confirmed. The fake secret was served from outside the public file root.
```

Run patched mode:

```bash
mvn -Ppatched spring-boot:run
```

Then:

```bash
python3 scripts/prove-secret-exposure.py --expect patched
```

## Cloud Foundry

Push vulnerable:

```bash
scripts/cf-push-vulnerable.sh
```

This deploys `target/cve-2024-38819-vulnerable.jar` as `patch-your-spring-vulnerable`.

Run the proof against your app route:

```bash
python3 scripts/prove-secret-exposure.py \
  --target https://YOUR-VULNERABLE-ROUTE \
  --allow-remote-demo \
  --expect vulnerable
```

Push patched:

```bash
scripts/cf-push-patched.sh
```

This deploys `target/cve-2024-38819-patched.jar` as `patch-your-spring-patched`.

Run the same proof:

```bash
python3 scripts/prove-secret-exposure.py \
  --target https://YOUR-PATCHED-ROUTE \
  --allow-remote-demo \
  --expect patched
```

Cleanup:

```bash
cf delete patch-your-spring-vulnerable -f -r
cf delete patch-your-spring-patched -f -r
```

## References

- Spring advisory: https://spring.io/security/cve-2024-38819/
- Public PoC shape: https://github.com/masa42/CVE-2024-38819-POC
- GitHub advisory: https://github.com/advisories/GHSA-g5vr-rgqm-vf78