Spring 6.2.9+ causes ALB Lambda validation failures to return 502 instead of 400

[jimmytang-connectid]

A regression appears when running a Spring Boot 3.5.5 (Spring Framework 6.2.9 or later) application on AWS Lambda behind an Application Load Balancer. Requests that should produce HTTP 400 (Jakarta Bean Validation failure on a @Size(max=1) field) return HTTP 502 only when invoked through the ALB. The same Lambda invoked via its Function URL correctly returns HTTP 400. Rolling back to Spring 6.2.8 restores correct 400 behavior through the ALB.

Environment:
Java 21 Lambda
Spring Boot 3.5.5
Spring Framework 6.2.9+ (regression); 6.2.8 works
Dependency: aws-serverless-java-container-springboot3:2.1.4
ALB → Lambda target group (multi-value headers enabled)
Expected: Invalid payload ({"name":"aa"}) → HTTP 400 with validation message.
Actual (6.2.9+ via ALB): HTTP 502 (no body).
Direct Lambda URL: Always returns 400 (all versions).

Reproduction steps (simplified):
Deploy stack (Lambda + ALB) with Spring 6.2.9+.
PUT /audit/v1/event-registrations/hello body: {"name":"aa"} via ALB → 502.
Same request via Function URL → 400.
Change Spring to 6.2.8 in build.gradle.kts, redeploy → ALB now returns 400.
Impact: ALB path unusable for clients relying on validation error semantics.

The ALB path through to the lambda application is unusable for clients relying on validation for springboot v3.5.5 using spring framework v6.2.10 affecting our service and security upgrades.

alb-springboot-lambda-gateway-issue.zip

[sdeleuze]

I think we would need a more minimal repro usable locally without AWS stuff and/or an analysis of what triggers the difference of behavior between Direct Lambda URL and ALB to have something actionable on our side. Like what are the differences between with and without ALB in terms of HTTP headers, etc.

[jimmytang-connectid]

Hi Sébastien,

It looks like you were looking for an analysis of what triggers the difference of behaviour between Direct Lambda URL and ALB.

The zip file containing source code, cdk infra code to reproduce the issue on a deployed environment, and verbose curl outputs that show the difference between the http headers with and without the alb.

alb-springboot-lambda-gateway-issue.zip

Below there are 2 code blocks that show the verbose curl outputs first through the ALB demonstrating the issue, and then second directly to the lambda URL which contains the request and response headers as well as the response body, and the curl command used with a place holder for the domain.

v6.2.10 through the ALB (testcase-2.txt)

curl -v -H "Content-Type: application/json" -X PUT -d '{"name": "aa"}' <ALB_ENDPOINT>/audit/v1/event-registrations/hello
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host AuditL-Audit-DLwRC2NVFw51-1108827923.ap-southeast-2.elb.amazonaws.com:80 was resolved.
* IPv6: 2405:6e00:64::368:3d28, 2405:6e00:64::343f:1d1b
* IPv4: 52.63.29.27, 3.104.61.40
*   Trying [2405:6e00:64::368:3d28]:80...
* Connected to AuditL-Audit-DLwRC2NVFw51-1108827923.ap-southeast-2.elb.amazonaws.com (2405:6e00:64::368:3d28) port 80
> PUT /audit/v1/event-registrations/hello HTTP/1.1
> Host: AuditL-Audit-DLwRC2NVFw51-1108827923.ap-southeast-2.elb.amazonaws.com
> User-Agent: curl/8.7.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 14
> 
} [14 bytes data]
* upload completely sent off: 14 bytes
< HTTP/1.1 502 Bad Gateway
< Server: awselb/2.0
< Date: Wed, 10 Sep 2025 05:24:51 GMT
< Content-Type: text/html
< Connection: keep-alive
< Content-Length: 122
< 
{ [122 bytes data]

100   136  100   122  100    14    750     86 --:--:-- --:--:-- --:--:--   839
* Connection #0 to host AuditL-Audit-DLwRC2NVFw51-1108827923.ap-southeast-2.elb.amazonaws.com left intact
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>

v6.2.10 Directly to the Lambda URL (testcase-3.txt)

curl -v -H "Content-Type: application/json" -X PUT -d '{"name": "aa"}' <FUNCTION_URL_ENDPOINT>/audit/v1/event-registrations/hello
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Host mkmnac5kyzr5eraz3mbddlhzau0gbppm.lambda-url.ap-southeast-2.on.aws:443 was resolved.
* IPv6: 2406:da1c:7bd:9601:8bec:1fc6:a0ce:a845, 2406:da1c:7bd:9603:423d:ee8b:562a:7bf0, 2406:da1c:7bd:9602:a6cc:9c27:b9c2:9657
* IPv4: 16.176.105.73, 54.252.66.252, 54.253.174.220
*   Trying [2406:da1c:7bd:9601:8bec:1fc6:a0ce:a845]:443...
* Connected to mkmnac5kyzr5eraz3mbddlhzau0gbppm.lambda-url.ap-southeast-2.on.aws (2406:da1c:7bd:9601:8bec:1fc6:a0ce:a845) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
} [370 bytes data]
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [6 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [3208 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=*.lambda-url.ap-southeast-2.on.aws
*  start date: Aug 11 05:24:54 2025 GMT
*  expire date: Sep 10 05:24:54 2026 GMT
*  subjectAltName: host "mkmnac5kyzr5eraz3mbddlhzau0gbppm.lambda-url.ap-southeast-2.on.aws" matched cert's "*.lambda-url.ap-southeast-2.on.aws"
*  issuer: emailAddress=certadmin@netskope.com; CN=ca.auspayplus.au.goskope.com; OU=55d9b8da69560e9d21dd4a2cbab35297; O=Eftpos Payments; L=Sydney; ST=NSW; C=AU
*  SSL certificate verify ok.
* using HTTP/1.x

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0> PUT /audit/v1/event-registrations/hello HTTP/1.1
> Host: mkmnac5kyzr5eraz3mbddlhzau0gbppm.lambda-url.ap-southeast-2.on.aws
> User-Agent: curl/8.7.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 14
> 
} [14 bytes data]
* upload completely sent off: 14 bytes
< HTTP/1.1 400 Bad Request
< Date: Wed, 10 Sep 2025 05:24:54 GMT
< Content-Type: application/json
< Connection: keep-alive
< x-amzn-RequestId: 0e1a2cdd-4b56-4dd5-b057-5eb945487aaa
< X-Amzn-Trace-Id: Root=1-68c10ba6-25630691731316fe3cd73921;Parent=0c67e8a53f5bf60d;Sampled=0;Lineage=1:899ee7f3:0
< Content-Length: 42
< 
{ [42 bytes data]

100    56  100    42  100    14     53     17 --:--:-- --:--:-- --:--:--    71
* Connection #0 to host mkmnac5kyzr5eraz3mbddlhzau0gbppm.lambda-url.ap-southeast-2.on.aws left intact
{"message":"size must be between 0 and 1"}

[sdeleuze]

The zip file containing source code, cdk infra code to reproduce the issue on a deployed environment

We don't have access to an AWS environment, does your reproducer enable us to reproduce the issue locally without any AWS account?

I would also be interested to know if you see Spring related logs in the ALB use case that indicates that the request reaches the Spring Boot application when you get the 502 response.