Search criteria
4 vulnerabilities found for Spring Framework by VMware
CVE-2025-41254 (GCVE-0-2025-41254)
Vulnerability from cvelistv5 – Published: 2025-10-16 14:48 – Updated: 2025-10-16 16:10
VLAI?
Title
Spring Framework STOMP CSRF Vulnerability
Summary
STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.
Affected Spring Products and VersionsSpring Framework:
* 6.2.0 - 6.2.11
* 6.1.0 - 6.1.23
* 6.0.x - 6.0.29
* 5.3.0 - 5.3.45
* Older, unsupported versions are also affected.
MitigationUsers of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.
CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| VMware | Spring Framework |
Affected:
5.3.x
Affected: 6.0.x Affected: 6.1.x Affected: 6.2.x |
Credits
This vulnerability was discovered and responsibly reported by Jannis Kaiser.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T16:10:02.754596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T16:10:14.510Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Spring Framework",
"vendor": "VMware",
"versions": [
{
"status": "affected",
"version": "5.3.x"
},
{
"status": "affected",
"version": "6.0.x"
},
{
"status": "affected",
"version": "6.1.x"
},
{
"status": "affected",
"version": "6.2.x"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was discovered and responsibly reported by Jannis Kaiser."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eSTOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.\u003c/p\u003e\u003ch1\u003eAffected Spring Products and Versions\u003c/h1\u003e\u003cp\u003eSpring Framework:\u003c/p\u003e\u003cul\u003e\u003cli\u003e6.2.0 - 6.2.11\u003c/li\u003e\u003cli\u003e6.1.0 - 6.1.23\u003c/li\u003e\u003cli\u003e6.0.x - 6.0.29\u003c/li\u003e\u003cli\u003e5.3.0 - 5.3.45\u003c/li\u003e\u003cli\u003eOlder, unsupported versions are also affected.\u003c/li\u003e\u003c/ul\u003e\u003ch1\u003eMitigation\u003c/h1\u003e\u003cp\u003eUsers of affected versions should upgrade to the corresponding fixed version.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected version(s)\u003c/th\u003e\u003cth\u003eFix version\u003c/th\u003e\u003cth\u003eAvailability\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e6.2.x\u003c/td\u003e\u003ctd\u003e6.2.12\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.1.x\u003c/td\u003e\u003ctd\u003e6.1.24\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\"\u003eCommercial\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.0.x\u003c/td\u003e\u003ctd\u003eN/A\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://spring.io/projects/spring-framework#support\"\u003eOut of support\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.3.x\u003c/td\u003e\u003ctd\u003e5.3.46\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\"\u003eCommercial\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eNo further mitigation steps are necessary.\u003c/p\u003e\u003ch1\u003eCredit\u003c/h1\u003e\u003cp\u003eThis vulnerability was discovered and responsibly reported by Jannis Kaiser.\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.\n\nAffected Spring Products and VersionsSpring Framework:\n\n * 6.2.0 - 6.2.11\n * 6.1.0 - 6.1.23\n * 6.0.x - 6.0.29\n * 5.3.0 - 5.3.45\n * Older, unsupported versions are also affected.\n\n\nMitigationUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.\n\nCreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T14:54:08.677Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"name": "Official Advisory",
"url": "https://spring.io/security/cve/2025-41254"
},
{
"name": "CVSS Calculator",
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\u0026version=3.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUsers of affected versions should upgrade to fixed releases: 6.2.12 (OSS), 6.1.24 (Commercial), and 5.3.46 (Commercial). No further mitigation steps are necessary.\u003c/p\u003e"
}
],
"value": "Users of affected versions should upgrade to fixed releases: 6.2.12 (OSS), 6.1.24 (Commercial), and 5.3.46 (Commercial). No further mitigation steps are necessary."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-10-16T00:00:00.000Z",
"value": "Initial vulnerability report published"
}
],
"title": "Spring Framework STOMP CSRF Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-41254",
"datePublished": "2025-10-16T14:48:37.350Z",
"dateReserved": "2025-04-16T09:30:25.626Z",
"dateUpdated": "2025-10-16T16:10:14.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41249 (GCVE-0-2025-41249)
Vulnerability from cvelistv5 – Published: 2025-09-16 10:15 – Updated: 2025-09-16 19:29
VLAI?
Title
CVE-2025-41249: Spring Framework Annotation Detection Vulnerability
Summary
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature.
You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces.
This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .
Severity ?
7.5 (High)
CWE
- CWE-285 - Improper Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| VMware | Spring Framework |
Affected:
6.2.x , < 6.2.11
(OSS)
Affected: 6.1.x , < 6.1.23 (commercial) Affected: 5.3.x , < 5.3.45 (COMMERCIAL) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T19:29:22.619095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T19:29:37.532Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Spring Framework",
"vendor": "VMware",
"versions": [
{
"lessThan": "6.2.11",
"status": "affected",
"version": "6.2.x",
"versionType": "OSS"
},
{
"lessThan": "6.1.23",
"status": "affected",
"version": "6.1.x",
"versionType": "commercial"
},
{
"lessThan": "5.3.45",
"status": "affected",
"version": "5.3.x",
"versionType": "COMMERCIAL"
}
]
}
],
"datePublic": "2025-09-15T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.\u003c/p\u003e\u003cp\u003eYour application may be affected by this if you are using Spring Security\u0027s \u003ccode\u003e@EnableMethodSecurity\u003c/code\u003e\u0026nbsp;feature.\u003c/p\u003e\u003cp\u003eYou are not affected by this if you are not using \u003ccode\u003e@EnableMethodSecurity\u003c/code\u003e\u0026nbsp;or if you do not use security annotations on methods in generic superclasses or generic interfaces.\u003c/p\u003e\u003cp\u003eThis CVE is published in conjunction with \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://spring.io/security/cve-2025-41248\"\u003eCVE-2025-41248\u003c/a\u003e.\u003c/p\u003e"
}
],
"value": "The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.\n\nYour application may be affected by this if you are using Spring Security\u0027s @EnableMethodSecurity\u00a0feature.\n\nYou are not affected by this if you are not using @EnableMethodSecurity\u00a0or if you do not use security annotations on methods in generic superclasses or generic interfaces.\n\nThis CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 ."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T10:15:34.118Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2025-41249"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-41249: Spring Framework Annotation Detection Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-41249",
"datePublished": "2025-09-16T10:15:34.118Z",
"dateReserved": "2025-04-16T09:30:25.625Z",
"dateUpdated": "2025-09-16T19:29:37.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41242 (GCVE-0-2025-41242)
Vulnerability from cvelistv5 – Published: 2025-08-18 08:47 – Updated: 2025-08-25 18:14
VLAI?
Title
CVE-2025-41242: Path traversal vulnerability on non-compliant Servlet containers
Summary
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:
* the application is deployed as a WAR or with an embedded Servlet container
* the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization
* the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with Spring resource handling
We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.
Severity ?
5.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| VMware | Spring Framework |
Affected:
6.2.x , < 6.2.10
(OSS)
Affected: 6.1.x , < 6.1.22 (commercial) Affected: 5.3.x , < 5.3.44 (commercial) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41242",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T11:20:32.641979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T18:14:59.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Spring Framework",
"product": "Spring Framework",
"vendor": "VMware",
"versions": [
{
"lessThan": "6.2.10",
"status": "affected",
"version": "6.2.x",
"versionType": "OSS"
},
{
"lessThan": "6.1.22",
"status": "affected",
"version": "6.1.x",
"versionType": "commercial"
},
{
"lessThan": "5.3.44",
"status": "affected",
"version": "5.3.x",
"versionType": "commercial"
}
]
}
],
"datePublic": "2025-08-14T20:41:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSpring Framework MVC applications can be vulnerable to a \u201cPath Traversal Vulnerability\u201d when deployed on a non-compliant Servlet container.\u003c/p\u003e\u003cp\u003eAn application can be vulnerable when all the following are true:\u003c/p\u003e\u003cul\u003e\u003cli\u003ethe application is deployed as a WAR or with an embedded Servlet container\u003c/li\u003e\u003cli\u003ethe Servlet container \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization\"\u003edoes not reject suspicious sequences\u003c/a\u003e\u003c/li\u003e\u003cli\u003ethe application \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title\"\u003eserves static resources\u003c/a\u003e\u0026nbsp;with Spring resource handling\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWe have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Spring Framework MVC applications can be vulnerable to a \u201cPath Traversal Vulnerability\u201d when deployed on a non-compliant Servlet container.\n\nAn application can be vulnerable when all the following are true:\n\n * the application is deployed as a WAR or with an embedded Servlet container\n * the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization \n * the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title \u00a0with Spring resource handling\n\n\nWe have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T08:47:07.427Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "http://spring.io/security/cve-2025-41242"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-41242: Path traversal vulnerability on non-compliant Servlet containers",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-41242",
"datePublished": "2025-08-18T08:47:07.427Z",
"dateReserved": "2025-04-16T09:30:17.799Z",
"dateUpdated": "2025-08-25T18:14:59.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41234 (GCVE-0-2025-41234)
Vulnerability from cvelistv5 – Published: 2025-06-12 21:14 – Updated: 2025-06-13 14:03
VLAI?
Title
RFD Attack via “Content-Disposition” Header Sourced from Request
Summary
Description
In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.
Specifically, an application is vulnerable when all the following are true:
* The header is prepared with org.springframework.http.ContentDisposition.
* The filename is set via ContentDisposition.Builder#filename(String, Charset).
* The value for the filename is derived from user-supplied input.
* The application does not sanitize the user-supplied input.
* The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).
An application is not vulnerable if any of the following is true:
* The application does not set a “Content-Disposition” response header.
* The header is not prepared with org.springframework.http.ContentDisposition.
* The filename is set via one of: * ContentDisposition.Builder#filename(String), or
* ContentDisposition.Builder#filename(String, ASCII)
* The filename is not derived from user-supplied input.
* The filename is derived from user-supplied input but sanitized by the application.
* The attacker cannot inject malicious content in the downloaded content of the response.
Affected Spring Products and VersionsSpring Framework:
* 6.2.0 - 6.2.7
* 6.1.0 - 6.1.20
* 6.0.5 - 6.0.28
* Older, unsupported versions are not affected
MitigationUsers of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.
CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.
Severity ?
6.5 (Medium)
CWE
- CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| VMware | Spring Framework |
Affected:
6.0.5 , ≤ 6.0.28
(COMMERCIAL)
Affected: 6.1.0 , ≤ 6.1.20 (OSS) Affected: 6.2.0 , ≤ 6.2.7 (OSS) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41234",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T14:03:20.791564Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T14:03:35.406Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring Framework",
"vendor": "VMware",
"versions": [
{
"changes": [
{
"at": "6.0.29",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.0.28",
"status": "affected",
"version": "6.0.5",
"versionType": "COMMERCIAL"
},
{
"changes": [
{
"at": "6.1.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.1.20",
"status": "affected",
"version": "6.1.0",
"versionType": "OSS"
},
{
"changes": [
{
"at": "6.2.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.2.7",
"status": "affected",
"version": "6.2.0",
"versionType": "OSS"
}
]
}
],
"datePublic": "2025-06-12T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003ch1\u003eDescription\u003c/h1\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eIn Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a \u201cContent-Disposition\u201d header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.\u003c/p\u003e\u003cp\u003eSpecifically, an application is vulnerable when all the following are true:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe header is prepared with \u003ccode\u003eorg.springframework.http.ContentDisposition\u003c/code\u003e.\u003c/li\u003e\u003cli\u003eThe filename is set via \u003ccode\u003eContentDisposition.Builder#filename(String, Charset)\u003c/code\u003e.\u003c/li\u003e\u003cli\u003eThe value for the filename is derived from user-supplied input.\u003c/li\u003e\u003cli\u003eThe application does not sanitize the user-supplied input.\u003c/li\u003e\u003cli\u003eThe downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAn application is not vulnerable if any of the following is true:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe application does not set a \u201cContent-Disposition\u201d response header.\u003c/li\u003e\u003cli\u003eThe header is not prepared with \u003ccode\u003eorg.springframework.http.ContentDisposition\u003c/code\u003e.\u003c/li\u003e\u003cli\u003eThe filename is set via one of:\u003cul\u003e\u003cli\u003e\u003ccode\u003eContentDisposition.Builder#filename(String)\u003c/code\u003e, or\u003c/li\u003e\u003cli\u003e\u003ccode\u003eContentDisposition.Builder#filename(String, ASCII)\u003c/code\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eThe filename is not derived from user-supplied input.\u003c/li\u003e\u003cli\u003eThe filename is derived from user-supplied input but sanitized by the application.\u003c/li\u003e\u003cli\u003eThe attacker cannot inject malicious content in the downloaded content of the response.\u003c/li\u003e\u003c/ul\u003e\u003ch1\u003eAffected Spring Products and Versions\u003c/h1\u003e\u003cp\u003eSpring Framework:\u003c/p\u003e\u003cul\u003e\u003cli\u003e6.2.0 - 6.2.7\u003c/li\u003e\u003cli\u003e6.1.0 - 6.1.20\u003c/li\u003e\u003cli\u003e6.0.5 - 6.0.28\u003c/li\u003e\u003cli\u003eOlder, unsupported versions are not affected\u003c/li\u003e\u003c/ul\u003e\u003ch1\u003eMitigation\u003c/h1\u003e\u003cp\u003eUsers of affected versions should upgrade to the corresponding fixed version.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected version(s)\u003c/th\u003e\u003cth\u003eFix version\u003c/th\u003e\u003cth\u003eAvailability\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e6.2.x\u003c/td\u003e\u003ctd\u003e6.2.8\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.1.x\u003c/td\u003e\u003ctd\u003e6.1.21\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.0.x\u003c/td\u003e\u003ctd\u003e6.0.29\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\"\u003eCommercial\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eNo further mitigation steps are necessary.\u003c/p\u003e\u003cbr\u003eCWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets."
}
],
"value": "Description\n\nIn Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a \u201cContent-Disposition\u201d header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.\n\nSpecifically, an application is vulnerable when all the following are true:\n\n * The header is prepared with org.springframework.http.ContentDisposition.\n * The filename is set via ContentDisposition.Builder#filename(String, Charset).\n * The value for the filename is derived from user-supplied input.\n * The application does not sanitize the user-supplied input.\n * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).\n\n\nAn application is not vulnerable if any of the following is true:\n\n * The application does not set a \u201cContent-Disposition\u201d response header.\n * The header is not prepared with org.springframework.http.ContentDisposition.\n * The filename is set via one of: * ContentDisposition.Builder#filename(String), or\n * ContentDisposition.Builder#filename(String, ASCII)\n\n\n\n * The filename is not derived from user-supplied input.\n * The filename is derived from user-supplied input but sanitized by the application.\n * The attacker cannot inject malicious content in the downloaded content of the response.\n\n\nAffected Spring Products and VersionsSpring Framework:\n\n * 6.2.0 - 6.2.7\n * 6.1.0 - 6.1.20\n * 6.0.5 - 6.0.28\n * Older, unsupported versions are not affected\n\n\nMitigationUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.\n\n\nCWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Allows Reflected File Download (RFD) leading to potential compromise of confidentiality and integrity through malicious content injection in downloaded files."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T21:14:42.957Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2025-41234"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41234"
},
{
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N\u0026version=3.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RFD Attack via \u201cContent-Disposition\u201d Header Sourced from Request",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-41234",
"datePublished": "2025-06-12T21:14:42.957Z",
"dateReserved": "2025-04-16T09:29:46.972Z",
"dateUpdated": "2025-06-13T14:03:35.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}