Path Traversal Vulnerability in Spring Framework MVC Applications
CVE-2025-41242

5.9MEDIUM

Key Information:

Vendor: Vmware
Status: Spring Framework
Vendor: CVE Published:; 18 August 2025

What is CVE-2025-41242?

The Spring Framework MVC is susceptible to a Path Traversal Vulnerability when deployed on certain Servlet containers that do not adhere to compliance norms. The vulnerability arises when applications deployed as WAR files or with embedded Servlet containers accept unvalidated input leading to file system exposure. This occurs particularly when the application serves static resources using Spring's resource handling features. To mitigate risks, it is crucial to deploy applications on compliant Servlet containers, ensuring that any suspicious URI sequences are rejected. Using default security settings in containers like Apache Tomcat or Eclipse Jetty can help in preventing these vulnerabilities. Regular updates and proper configuration are essential to safeguard against potential exploits.

Affected Version(s)

Spring Framework 6.2.x < 6.2.10

Spring Framework 6.1.x < 6.1.22

Spring Framework 5.3.x < 5.3.44

References

http://spring.io/security/cve-2025-41242

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 18, 2025
Vulnerability Reserved
Apr 16, 2025

Vmware

What is CVE-2025-41242?

Affected Version(s)

References

CVSS V3.1

Timeline