By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-41242

Path Traversal
Affects
Spring Framework
in
Spring
No items found.
Versions
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.43, >=6.0.0 <=6.0.29, >=6.1.0 <=6.1.21, >=6.2.0 <=6.2.9
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring Framework is a comprehensive Java framework for building enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of web applications by allowing you to use Java as your primary language while offering a variety of tools to manage application configuration, data access, and security.

A possible Path Traversal vulnerability (CVE-2025-41242) has been identified in Spring Framework’s MVC support for servlet containers that are incorrectly configured.

A Path Traversal vulnerability occurs when an attacker is able to manipulate file or directory paths in an application to gain unauthorized access to files or directories outside the intended directory. This typically happens when user input is not properly sanitized or validated, allowing attackers to use sequences like ../ to navigate the file system. The implications of a Path Traversal vulnerability are severe, as it can lead to unauthorized access to sensitive files, data leakage, system compromise, or further exploitation of the system, depending on the application’s privileges and access controls.

This issue affects multiple versions of Spring Framework’s spring-beans package.

Details

Module Info

Vulnerability Info

The security flaw applies to Spring Framework MVC applications when specific deployment and configuration conditions align. This vulnerability enables attackers to bypass intended access controls and retrieve files from unauthorized filesystem locations through crafted HTTP requests targeting static resource endpoints.

The security flaw manifests one the following conditions occur:

  • Application deployment uses WAR packaging or embedded Servlet containers (such as Tomcat or Jetty)
  • The underlying servlet container lacks the proper validation of malicious path sequences
  • Static resources are served using Spring’s resource handling

Important Note: Default installations of Apache Tomcat and Eclipse Jetty include protective measures that prevent exploitation, provided administrators have not modified standard security configurations. Applications using Spring Boot have many of these security features enabled by default. 

Mitigation

Only recent versions of Spring Framework are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Framework

Credit

  • 1ue and b1u3r from Vidar-Team, and Joakim Erdfelt from Webtide

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-41242
PROJECT Affected
Spring Framework
Versions Affected
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.43, >=6.0.0 <=6.0.29, >=6.1.0 <=6.1.21, >=6.2.0 <=6.2.9
Published date
August 18, 2025
≈ Fix date
August 15, 2025
Fixed in
NES for Spring
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Path Traversal
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.