CVE-2025-41242

EPSS 0.09%
Veröffentlicht 18.08.2025 08:47:07
Zuletzt bearbeitet 18.08.2025 20:16:28
Quelle security@vmware.com
Teams Watchlist Login
Unerledigt Login

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.

An application can be vulnerable when all the following are true:

  *  the application is deployed as a WAR or with an embedded Servlet container
  *  the Servlet container  does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization 
  *  the application  serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with Spring resource handling


We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerVMware

≫

Produkt Spring Framework

Default Statusunaffected

Version < 6.2.10

Version 6.2.x

Status affected

Version < 6.1.22

Version 6.1.x

Status affected

Version < 5.3.44

Version 5.3.x

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.268

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@vmware.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

http://spring.io/security/cve-2025-41242

https://nvd.nist.gov/vuln/detail/CVE-2025-41242

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-41242

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-41242

EUVD