spring-security-web (all versions) are vulnerable to a BREACH attack. The workaround for this issue is to disable http compression for external requests.

Details of the attack and the workaround may be found at : https://github.com/spring-projects/spring-security/pull/4002#issuecomment-239827460