CVE-2025-41242

EPSS 6.59%
Veröffentlicht 18.08.2025 08:47:07
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security@vmware.com
CVE-Watchlists
Login
Unerledigt
Login

CVE-2025-41242: Path traversal vulnerability on non-compliant Servlet containers

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.

An application can be vulnerable when all the following are true:

  *  the application is deployed as a WAR or with an embedded Servlet container
  *  the Servlet container  does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization 
  *  the application  serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with Spring resource handling


We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerVMware

≫

Produkt Spring Framework

Default Statusunaffected

Version 6.2.x

Version < 6.2.10

Status affected

Version 6.1.x

Version < 6.1.22

Status affected

Version 5.3.x

Version < 5.3.44

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	6.59%	0.912

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@vmware.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

http://spring.io/security/cve-2025-41242

https://nvd.nist.gov/vuln/detail/CVE-2025-41242

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-41242

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-41242

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-41242