Spring Framework 5.3.x < 5.3.44 / 6.1.x < 6.1.22 / 6.2.x < 6.2.10 Path Traversal (CVE-2025-41242)

🗓️ 21 Aug 2025 00:00:00Reported by TenableType

Spring Path traversal CVE-2025-41242 affects 5.3.x<5.3.44,6.1.x<6.1.22,6.2.x<6.2.810; vulnerable on WAR or embedded containers serving static resources; upgrade advised.

Reporter	Title	Published	Views	Family All 62
IBM Security Bulletins	Security Bulletin: IBM Operational Decision Manager for December 2025 - Multiple CVEs addressed	29 Jan 202607:37	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling Connect:Direct Web Services vulnerable to spring-beans-6.2.3.jar (CVE-2025-41242)	7 Oct 202507:21	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 2.1.0	5 Dec 202509:12	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which is vulnerable to CVEs.	7 Oct 202507:40	–	ibm
IBM Security Bulletins	Security Bulletin: Path traversal vulnerability affect IBM Business Automation Workflow - CVE-2025-41242	6 Nov 202510:13	–	ibm
IBM Security Bulletins	Security Bulletin: A security vulnerability has been identified in IBM StreamSets Data Collector	8 Feb 202606:56	–	ibm
IBM Security Bulletins	Security Bulletin: vulerability in IBM Spectrum Symphony with spring webmvc	7 Jan 202619:36	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Spring Framework MVC affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.	29 Dec 202507:27	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses Spring Framework MVC applications can be vulnerable to Traversal Vulnerability.	28 Oct 202505:54	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities	25 Sep 202516:59	–	ibm

Source	Link
spring	www.spring.io/security/cve-2025-41242
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(253510);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/21");

  script_cve_id("CVE-2025-41242");
  script_xref(name:"IAVA", value:"2025-A-0613-S");

  script_name(english:"Spring Framework 5.3.x < 5.3.44 / 6.1.x < 6.1.22 / 6.2.x < 6.2.10 Path Traversal (CVE-2025-41242)");

  script_set_attribute(attribute:"synopsis", value:
"The Spring Framework install on the remote host is affectec by a path traversal vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Spring Framework installed on the remote host is 5.3.x prior to 5.3.44, 6.1.x prior to 6.1.22, or 6.2.x
prior to 6.2.810. It is, therefore, affected by a path traversal vulnerability:

  - Spring Framework MVC applications can be vulnerable to a âPath Traversal Vulnerabilityâ when deployed on a
    non-compliant Servlet container. An application can be vulnerable when all the following are true:
      * the application is deployed as a WAR or with an embedded Servlet container
      * the Servlet container does not reject suspicious sequences 
      * the application serves static resources with Spring resource handling
    We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default
    security features are not disabled in the configuration. Because we cannot check exploits against all Servlet
    containers and configuration variants, we strongly recommend upgrading your application.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://spring.io/security/cve-2025-41242");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Spring Framework version 5.3.44, 6.1.22, or 6.2.10 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-41242");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/08/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/08/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/08/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:pivotal_software:spring_framework");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:spring_framework");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("spring_jar_detection.nbin");
  script_require_keys("installed_sw/Spring Framework");

  exit(0);
}

include('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'checks': [
    {
      'product': {'name': 'Spring Framework', 'type': 'app'},
      'check_algorithm': 'default',
      'constraints': [
        {'fixed_version':'5.3.44'},
        {'min_version':'6.0.0', 'fixed_version':'6.1.22'},
        {'min_version':'6.2.0', 'fixed_version':'6.2.10'}
      ]
    }
  ]
};

var result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_WARNING);
vdf::handle_check_and_report_errors(vdf_result:result);

21 Jan 2026 00:00Current

6.1Medium risk

Vulners AI Score6.1

CVSS 3.15.9

EPSS0.05222

SSVC