Reflected File Download Vulnerability in Spring Framework by VMware
CVE-2025-41234

6.5MEDIUM

Key Information:

Vendor

Vmware
Status
Spring Framework
Vendor
CVE Published:
12 June 2025

What is CVE-2025-41234?

A vulnerability in VMware's Spring Framework affects versions 6.0.5 to 6.2.7, enabling attackers to exploit reflected file download (RFD) attacks. This occurs when an application improperly handles the 'Content-Disposition' header by using non-ASCII charsets for filenames derived from user input without proper sanitization. Attackers can inject malicious commands into the response content, potentially compromising application security. To mitigate this risk, users should promptly upgrade to the fixed versions available.

Affected Version(s)

Spring Framework 6.0.5 <= 6.0.28

Spring Framework 6.1.0 <= 6.1.20

Spring Framework 6.2.0 <= 6.2.7

References

https://spring.io/security/cve-2025-41234
https://nvd.nist.gov/vuln/detail/CVE-2025-41234
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vect...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-41234 : Reflected File Download Vulnerability in Spring Framework by VMware