Spring's HTTP invoker was built to make Java-to-Java remote procedure calls feel effortless: serialize an object on one end, ship it over HTTP, deserialize it on the other. That convenience is exactly what makes CVE-2016-1000027 dangerous. The flaw lives in HttpInvokerServiceExporter (and the related RemoteInvocationSerializingHttpInvokerRequestExecutor), which accepts and deserializes raw Java object streams from any client that can reach the endpoint — with no validation of what classes are being reconstructed. If an attacker can deliver a crafted serialized payload built from "gadget chain" classes present on the application's classpath (the same technique behind the Apache Commons Collections deserialization wave of 2015–2017), the result is unauthenticated remote code execution.
What makes this CVE unusual is its history. It was filed in 2016 under the Distributed Weakness Filing (DWF) numbering scheme, sat with minimal attention for years, and was then reassessed by NVD, which sharply raised its severity once researchers demonstrated that the underlying pattern was trivially weaponizable in real deployments. The result is a case study every security team should know: a "known" vulnerability that nonetheless silently persisted in production Spring applications for years because it was never treated as urgent.
Affected versions and components
CVE-2016-1000027 is not a single faulty function that a point release quietly fixed — it is an architectural weakness in how Spring's HTTP invoker remoting layer handles Java serialization. NVD's description covers Pivotal Spring Framework releases up through the 5.3.x line (its record references "through 5.3.16"), reflecting the reality that no shipped version of Spring closes the hole outright: any application that instantiates HttpInvokerServiceExporter, HttpInvokerProxyFactoryBean, or otherwise exposes HTTP invoker-based remoting to a network path an untrusted party can reach is potentially affected, regardless of Spring Framework version.
This matters for triage. Unlike a typical CVE where "upgrade to version X" closes the issue, here the vulnerable component is the design pattern itself — Java-serialization-based RPC exposed over HTTP. Spring Remoting technologies that follow the same pattern (RMI-based remoting, JMS-based invokers) share the same underlying risk class: deserialization of untrusted data, tracked generally as CWE-502. Applications most at risk are those that expose HTTP invoker endpoints to the public internet, to less-trusted internal network segments, or to any caller that isn't a fully trusted, tightly coupled internal service.
CVSS, EPSS, and KEV context
When NVD revisited this CVE, it assigned a CVSS score of 9.8 (Critical), reflecting network-reachable, unauthenticated, low-complexity code execution with full impact on confidentiality, integrity, and availability — the same severity band as many of the headline Java deserialization RCEs of the last decade. That jump from an initially obscure, low-attention entry to a critical rating is itself instructive: severity here is a function of exposure and classpath contents (whether a usable gadget chain library is present), not a static property of the code, which is part of why the initial assessment undersold the risk.
As of this writing, CVE-2016-1000027 does not appear on CISA's Known Exploited Vulnerabilities (KEV) catalog, and we don't have a confirmed, precise EPSS figure to cite here. Treat that as a reason for caution rather than comfort: EPSS and KEV listing reflect observed exploitation activity, and Java deserialization gadget chains are notoriously hard to detect in the wild via generic signatures — exploitation often looks like ordinary HTTP traffic to a legacy endpoint until the payload executes. Absence from KEV should not be read as "this is theoretical." The vulnerability class it belongs to has a long track record of real-world abuse once an exposed, reachable instance is found.
Timeline
- 2016 — The issue is filed as CVE-2016-1000027 via the Distributed Weakness Filing project, describing unsafe Java deserialization in Spring's HTTP invoker service exporter. It receives little mainstream security attention; many vulnerability feeds either omit it or list it without a severity score.
- 2020 — Broader industry re-examination of legacy Java deserialization issues, spurred by continued research into Commons Collections-style gadget chains, keeps attention on RPC mechanisms that deserialize arbitrary objects.
- 2022 — Security researchers publicly revisit CVE-2016-1000027 and demonstrate concrete exploitation paths against applications exposing
HttpInvokerServiceExporter, showing that the "theoretical" 2016 finding is practically exploitable when a suitable gadget chain is on the classpath. NVD reassesses and republishes the entry with the CVSS 9.8 Critical rating, and the advisory becomes widely covered as an old, high-severity Spring bug resurfacing. - Ongoing — Because the root cause is architectural, Spring has not issued a version bump that fully "fixes" the CVE. Guidance from the Spring team and the broader community centers on not exposing HTTP invoker to untrusted callers and migrating away from Java-serialization-based remoting where possible.
Remediation
Because there is no single patch that eliminates this class of risk, remediation is about reducing exposure and hardening deserialization, in layers:
- Inventory first. Identify every application and service that uses
HttpInvokerServiceExporter,HttpInvokerProxyFactoryBean, or other Spring Remoting components backed by Java serialization. Many organizations discover these in legacy internal integration layers that predate REST/JSON adoption. - Restrict network reachability. HTTP invoker endpoints should never be reachable from the public internet or from untrusted network segments. Enforce this with firewall rules, network segmentation, and mutual TLS or strong authentication in front of the endpoint — the endpoint itself does not authenticate the payload's contents.
- Migrate off Java-serialization RPC. Where feasible, replace HTTP invoker-based remoting with REST/JSON, gRPC, or another interchange format that does not reconstruct arbitrary Java objects from untrusted bytes. This is the only change that removes the risk class entirely rather than mitigating it.
- Add deserialization allowlisting as defense in depth. If HTTP invoker cannot be retired immediately, use
ObjectInputFilter(JEP 290) or an equivalent look-ahead deserialization filter to allowlist only the classes your application legitimately needs to deserialize, blocking known gadget chain classes. - Trim the classpath. Removing unused libraries known to contain deserialization gadget chains (older Commons Collections versions, certain Groovy or Spring AOP proxy classes, etc.) reduces the attacker's toolkit even if a deserialization entry point exists.
- Monitor and log. Alert on malformed or unexpected serialized payloads hitting remoting endpoints, and log deserialization exceptions — these are often the first visible signal of probing or exploitation attempts.
- Keep dependencies current. While no Spring release fully closes this design-level issue, staying on a supported, actively patched Spring Framework version ensures you receive fixes for adjacent vulnerabilities and benefit from updated security guidance.
How Safeguard helps
CVE-2016-1000027 is a textbook example of why point-in-time patching isn't enough for software supply chain risk: it's a vulnerability defined by usage pattern and exposure, not just a version number, and it can hide in internal services for years without a CVE scanner flagging urgency. Safeguard is built for exactly this kind of risk.
- Composition-aware SCA. Safeguard's software composition analysis maps not just which Spring Framework version an application depends on, but whether risky components like HTTP invoker-based remoting classes are actually present and reachable in your codebase — surfacing architectural exposure that a version-only CVE scanner would miss.
- SBOM-driven visibility across the fleet. Because this vulnerability spans years of Spring releases with no clean "fixed version," Safeguard's SBOM inventory lets teams instantly answer "which of our services use Java-serialization-based Spring Remoting?" instead of manually auditing each repository.
- Risk-based prioritization. Safeguard correlates CVSS severity with real exploitability signals and your own exposure context (internet-facing vs. internal-only, authentication in front of the endpoint) so that a critical-but-low-KEV-visibility CVE like this one gets triaged by actual risk to your environment, not just its headline score.
- Continuous monitoring for drift. New services and forks reintroduce old patterns. Safeguard continuously rescans dependency graphs and configurations so that a newly added HTTP invoker integration — or a reintroduced vulnerable gadget-chain library — is caught before it reaches production, not years later during an incident.
Old, architecturally-rooted vulnerabilities like CVE-2016-1000027 rarely announce themselves. They wait in legacy integration code until someone finds the exposed endpoint. Supply chain visibility that understands how a component is used — not just which version is installed — is what turns that kind of vulnerability from a lurking incident into a routine remediation item.