All Apache Shiro CVEs — Complete Vulnerability History
Apache Shiro is a popular Java security framework for authentication and authorization. Authentication bypass via path traversal has been a recurring issue.
Java/Maven
Millions weekly downloads
3 CVEs total
2 CRITICAL
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2020-1957 | 2020 | CRITICAL | Authentication bypass via trailing slash | Fixed 1.5.2 |
| CVE-2020-11989 | 2020 | CRITICAL | Authentication bypass via URL encoding | Fixed 1.5.3 |
| CVE-2023-46749 | 2023 | HIGH | Authentication bypass via path traversal | Fixed 2.0.1 |
Current safe version: 2.0.1
# Before1.11.0
# After2.0.1
Then run: mvn dependency:resolve
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Why does Shiro keep having authentication bypass CVEs?
URL normalization is fundamentally tricky — different components (Shiro's path matcher, the servlet container, the web server) may interpret the same URL differently. Shiro 2.0 addresses this with stricter URL normalization.
Is Shiro or Spring Security better for new projects?
Spring Security is more actively developed and better integrated with the Spring ecosystem. For new Spring projects, Spring Security is generally recommended over Shiro.