View all Vulnerabilities

CVE-2026-41843

Path Traversal
Affects
Spring Framework
in
Spring
No items found.
Versions
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Framework is the foundational application framework for the Spring ecosystem, providing the core container, web stacks, and infrastructure that the wider Spring portfolio is built on. Its two web stacks, Spring MVC (servlet-based, in spring-webmvc) and Spring WebFlux (reactive, in spring-webflux), both ship a static-resource handling pipeline that can serve files from the file system. That pipeline supports versioned resources: when configured with a VersionResourceResolver and a content-based version strategy, the framework embeds a content hash into resource URLs for cache-busting, and strips that version back out of the request path before resolving the underlying file.

A medium-severity vulnerability (CVE-2026-41843) has been identified in this versioned-resource path handling. The version-stripping logic removed every occurrence of the version substring from the request path rather than only the trailing one, and the resolver did not re-validate the stripped path before resolving it against the file system. An attacker who knows the version metadata of a served resource can craft a request whose stripped path escapes the configured resource locations, allowing files outside those locations to be read.

Per OWASP, a path traversal (directory traversal) attack aims to access files and directories stored outside the web root folder; by manipulating variables that reference files with parent-directory ('dot-dot-slash') sequences and their variations, or by using absolute file paths, it may be possible to access arbitrary files and directories on the file system. This issue is exactly that failure mode: a crafted, version-bearing request path is transformed into a path that resolves outside the intended static-resource directory.

The CVSS v3.1 base score for this vulnerability is 5.9 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The attack vector is Network because the request arrives over HTTP, attack complexity is High because the attacker must already know the version metadata (content hash) of a targeted resource for the crafted path to be processed by the version resolver, and no privileges or user interaction are required. The impact is Confidentiality-only and High because the flaw can disclose file contents from outside the configured resource locations; there is no integrity or availability impact, since the path is only resolved for reading.

This issue affects Spring Framework >=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7 when versioned static resources are served from the file system.

Details

Module Info

Vulnerability Info

The vulnerability is in the versioned-resource resolution pipeline, which exists in mirrored form in both web stacks: org.springframework.web.servlet.resource in spring-webmvc and org.springframework.web.reactive.resource in spring-webflux. The fix is related to CVE-2026-41842. It is only reachable when an application configures a VersionResourceResolver with a content-based version strategy on a file-system-backed resource handler, so a deployment is exposed only if it both serves static resources from the file system and has versioned resource support enabled.

When a request for a versioned resource arrives, the version strategy's removeVersion method strips the embedded version token out of the request path so the underlying (unversioned) file can be located. Pre-fix, that method used StringUtils.delete, which removes every occurrence of the -<version> substring from the path:

return StringUtils.delete(requestPath, "-" + version);

Because the content hash is attacker-knowable, a request path can be crafted so the version substring appears more than once, including inside a directory-traversal segment. StringUtils.delete then strips the token from all of those positions at once, producing a simplePath that no longer matches the intended cache-busting suffix and instead points outside the configured resource location. The resolver passed that simplePath straight to the resolution chain without re-validating it, so the traversed path was resolved and its file contents could be returned.

The advisory lists the affected range starting at 5.3.0, reflecting Spring's currently-supported scope. The vulnerable code (the StringUtils.delete-based removeVersion and the unguarded resolver) predates 5.3 and is present in the 4.3.x line as well, so older lines covered by NES support are also affected.

Steps To Reproduce

1. Build a Spring MVC (or Spring WebFlux) application on an affected Spring Framework version that serves static resources from the file system with versioned-resource support enabled:

   @Override
   public void addResourceHandlers(ResourceHandlerRegistry registry) {
       registry.addResourceHandler("/resources/**")
           .addResourceLocations(new FileSystemResource("/var/www/static/"))
           .resourceChain(true)
           .addResolver(new VersionResourceResolver()
               .addContentVersionStrategy("/**"));
   }

2. Request a legitimate versioned resource and note the content-hash version token the application assigns, for example /resources/css/app-<hash>.css. This token is the resource metadata the attack relies on.

3. Craft a request whose path repeats the -<hash> version substring so that, after the pre-fix StringUtils.delete removes all occurrences at once, the resulting simplePath resolves outside the configured /var/www/static/ location.

4. Send the crafted request. On a vulnerable version the resolver strips the version from every position, fails to re-validate the stripped path, and resolves a file outside the intended resource location, returning its contents.

5. After upgrading to a fixed version (Spring Framework 6.2.19, 7.0.8, or a HeroDevs NES version), repeat the crafted request. removeVersion now strips only the trailing token and VersionResourceResolver rejects the traversing path via ResourceHandlerUtils.shouldIgnoreInputPath, so the request no longer escapes the resource location.

Mitigation

Spring Framework 4.3.x, 5.3.x, and 6.1.x have reached the end of their open source support lifecycle and will not receive open source patches for this vulnerability; see the Spring support policy for current support timelines.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Framework that contains the fix. The OSS fix ships in Spring Framework 6.2.19 (6.2.x line) and 7.0.8 (7.0.x line).
  • As an interim hardening step on a vulnerable deployment, disable versioned-resource support or serve static resources from the classpath rather than the file system, since the issue is only reachable when file-system resources are served with a content-based VersionResourceResolver.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Framework.

Credits

  • This issue was discovered internally by the Spring team.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-41843
PROJECT Affected
Spring Framework
Versions Affected
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 10, 2026
Fixed in
NES for Spring
Category
Path Traversal
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.