VMware Spring Framework 6.0.5 - 6.0.28, 6.1.0 - 6.1.20, 6.2.0 - 6.2.7 RFD Vulnerability - Linux

The VMware Spring Framework is prone to a reflected file download RFD vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2025-41234

A mishandling of non-ASCII characters in headers flaw was found in the Spring framework. This flaw allows an attacker to tamper with a file download under specific conditions when content names are user-supplied, and the victim then downloads unintended content. Mitigation Mitigation for this iss...

CVE-2025-41234

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input...

UBUNTU-CVE-2025-41234

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input...

HTTP Response Splitting

Overview org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to HTTP Response Splitting via the...

CVE-2025-41234 RFD Attack via “Content-Disposition” Header Sourced from Request

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input...

CVE-2025-41234 RFD Attack via “Content-Disposition” Header Sourced from Request

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input...

CVE-2025-41234

CVE-2025-41234 : In Spring Framework, versions 6.0.x up to 6.0.28, 6.1.x up to 6.1.20, and 6.2.x up to 6.2.7 are vulnerable to a reflected file download (RFD) attack when a response header uses non-ASCII charset in the filename derived from user input via ContentDisposition.Builder#filename(Strin...

CVE-2025-41234

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input...

PT-2025-25357 · Unknown · Spring Framework

Name of the Vulnerable Software and Affected Versions: Spring Framework versions 6.0.5 through 6.0.28 Spring Framework versions 6.1.0 through 6.1.20 Spring Framework versions 6.2.0 through 6.2.7 Description: The issue allows remote attackers to launch Reflected File Download RFD attacks via...

VMware Spring Framework 安全漏洞

VMware Spring Framework is a set of open source Java, JavaEE application frameworks from VMware. The framework helps developers build high-quality applications. A security vulnerability exists in VMware Spring Framework versions 6.0.5 through 6.2.7, which stems from uncleaned user input in...

Path traversal vulnerability in functional web frameworks (CVE-2024-38819)

Spring Framework is vulnerable to a path traversal issue due to a lack of sufficient sanitization of path sequences processed by the WebMvc.fn or WebFlux.fn functional web frameworks. A remote attacker could submit crafted HTTP requests to an application that serves static resources through the...

This Week in Spring - June 10th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's been a busy week indeed since we last spoke! Last week I was in Amsterdam for the IntelliJ IDEA conference and for the JSpring event in Utrecht. Now, I'm in Tokyo, Japan, for the JJUG Spring 2025 event. Importantly: both...

OESA-2025-1557 springframework security update

The spring is based on code pubilshed in Expert One-on-One J2EE Design and Dvelopment by Rod Johnson Wrox, 2002.it is a layered Java/J2ee application framework. Security Fixes: n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a...

CVE-2022-43484

TERASOLUNA Global Framework 1.0.0 Public review version and TERASOLUNA Server Framework for Java Rich 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an...

CVE-2021-29500

bubble fireworks is an open source java package relating to Spring Framework. In bubble fireworks before version 2021.BUILD-SNAPSHOT there is a vulnerability in which the package did not properly verify the signature of JSON Web Tokens. This allows to forgery of valid JWTs...

Spring_framework 5.3.x < 5.3.43 / 6.0.x < 6.0.28 / 6.1.x < 6.1.20 / 6.2.x < 6.2.7 (CVE-2025-22233)

The version of Springframework installed on the remote host is prior to 5.3.43, 6.0.28, 6.1.20, or 6.2.7. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-22233 advisory. - CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured...

Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability

Ivanti Endpoint Manager Mobile EPMM contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources without proper credentials via crafted API requests. This vulnerability results from an insecure implementation of the Spring Framework...

VMware Spring Framework < 5.3.43, 6.0.x < 6.0.28, 6.1.x < 6.1.20, 6.2.x < 6.2.7 Authorization Bypass Vulnerability - Windows

The VMware Spring Framework is prone to an authorization bypass vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

VMware Spring Framework < 5.3.43, 6.0.x < 6.0.28, 6.1.x < 6.1.20, 6.2.x < 6.2.7 Authorization Bypass Vulnerability - Linux

The VMware Spring Framework is prone to an authorization bypass vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...