JSONP enabled by default in MappingJackson2JsonView
Description
Affected versions of Spring Framework (5.0.x prior to 5.0.7, 4.3.x prior to 4.3.18, and older unsupported versions) automatically enable JSONP (JSON with Padding) support when MappingJackson2JsonView is configured in an application. While JSONP functionality is not enabled by default in Spring Framework or Spring Boot, applications that use MappingJackson2JsonView for browser-based JSON responses inadvertently expose JSONP endpoints through the "jsonp" and "callback" query parameters. This creates an unintended cross-domain data access mechanism that developers may not be aware of, potentially allowing unauthorized third-party websites to retrieve sensitive application data.
Remediation
Apply the appropriate fix based on your Spring Framework version:
Upgrade to Patched Versions (Recommended):
• Spring Framework 5.0.x users: Upgrade to version 5.0.7 or later
• Spring Framework 4.3.x users: Upgrade to version 4.3.18 or later
• Older unsupported versions: Upgrade to a currently supported branch
Temporary Mitigation (if immediate upgrade is not possible):
Disable JSONP support by explicitly setting the jsonpParameterNames property to an empty set in your MappingJackson2JsonView configuration:
@Configuration
public class WebConfig {
@Bean
public MappingJackson2JsonView jsonView() {
MappingJackson2JsonView view = new MappingJackson2JsonView();
view.setJsonpParameterNames(Collections.emptySet());
return view;
}
}
Post-Upgrade Actions:
• If your application requires cross-domain requests, migrate from JSONP to CORS (Cross-Origin Resource Sharing), which provides better security controls
• Review and explicitly configure jsonpParameterNames only if JSONP support is absolutely necessary
• Note that JSONP support is deprecated as of Spring Framework 5.0.7 and 4.3.18, and will be removed in version 5.1