Security Bypass in STOMP over WebSocket Applications for Spring Framework
CVE-2025-41254

4.3MEDIUM

Key Information:

Vendor: Vmware
Status: Spring Framework
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-41254?

A vulnerability exists in STOMP over WebSocket applications within the Spring Framework, enabling attackers to bypass security measures and send unauthorized messages. This flaw impacts multiple versions, including those that are outdated and not supported. To mitigate the risk, users of the affected versions should upgrade to the latest fixed versions as outlined in the advisory.

Affected Version(s)

Spring Framework 5.3.x

Spring Framework 6.0.x

References

https://spring.io/security/cve/2025-41254

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vect...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

This vulnerability was discovered and responsibly reported by Jannis Kaiser.

JSON

Vmware

What is CVE-2025-41254?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit