GHSA-q62f-h9x2-gcqcHighCVSS 7.5
Spring AI: ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage
🔗 CVE IDs covered (1)
📋 Description
Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.
🎯 Affected products9
- maven/org.springframework.ai:spring-ai-client-chat:< 1.0.7
- maven/org.springframework.ai:spring-ai-client-chat:>= 1.1.0-M1, < 1.1.6
- maven/org.springframework.ai:spring-ai-client-chat:>= 2.0.0-M1, < 2.0.0-M6
- maven/org.springframework.ai:spring-ai-model:< 1.0.7
- maven/org.springframework.ai:spring-ai-model:>= 1.1.0-M1, < 1.1.6
- maven/org.springframework.ai:spring-ai-model:>= 2.0.0-M1, < 2.0.0-M6
- maven/org.springframework.ai:spring-ai-advisors-vector-store:< 1.0.7
- maven/org.springframework.ai:spring-ai-advisors-vector-store:>= 1.1.0-M1, < 1.1.6
- maven/org.springframework.ai:spring-ai-advisors-vector-store:>= 2.0.0-M1, < 2.0.0-M6