ROOT-APP-MAVEN-CVE-2025-41254 CVE-2025-41254 in io.root.org.springframework:spring-websocket - Patched by Root

Root has patched CVE-2025-41254 in the io.root.org.springframework:spring-websocket package for Root:Maven. Multiple fixed versions available...

CVE-2026-41838

IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 throug...

Linux Distros Unpatched Vulnerability : CVE-2026-41838

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequa...

CVE-2026-41838: Spring Framework Predictable Session ID in WebSocket Module

IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules...

br.com.m4rc310:br-com-m4rc310-gql (=1.0.58), br.com.m4rc310:br-com-m4rc310-gtim (=1.0.58) +267 more potentially affected by CVE-2025-41254 via org.springframework:spring-websocket (>=6.0.0 <=6.0.21)

org.springframework:spring-websocket MAVEN version =6.0.0, =3.1.1.0, =3.1.1.0, =2.0.35, =0.0.11, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.8.5 and more Source cves: CVE-2025-41254 Source advisory: OSV:GHSA-7FCH-4F2F-JCGM...

ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.0 <=4.6.0.0), at.researchstudio.sat:won-owner (=0.3) +2227 more potentially affected by CVE-2025-41254 via org.springframework:spring-websocket (>=4.0.0.RELEASE <=5.3.39)

org.springframework:spring-websocket MAVEN version =4.0.0.RELEASE, =4.4.0.0, =3.4.0, =5.6.5, =4.1.0, =4.1.0, =3.6.0, =1.4, =5.3.0, =6.2.5 and more Source cves: CVE-2025-41254 Source advisory: OSV:GHSA-7FCH-4F2F-JCGM...

ai.driftkit:driftkit-workflow-controllers (>=0.7.5 <=0.8.7), ai.driftkit:driftkit-workflow-engine-spring-boot-starter (>=0.7.0 <=0.8.7) +501 more potentially affected by CVE-2025-41254 via org.springframework:spring-websocket (>=6.1.0 <=6.1.21)

org.springframework:spring-websocket MAVEN version =6.1.0, =0.7.5, =0.7.0, =1.0.2, =1.0.42, =1.0.2, =1.0.2, =1.0.42, =7.6.0, =7.6.0, =7.6.0, =7.6.0, =7.6.0, =7.6.0, =7.6.0, =7.6.0, =8.4.3 and more Source cves: CVE-2025-41254 Source advisory: OSV:GHSA-7FCH-4F2F-JCGM...

at.aimon.ops:aimon-ops-api (>=0.0.1 <=0.0.2), cc.allio.uno:uno-starter-websocket (>=1.1.9 <=1.2.1) +704 more potentially affected by CVE-2025-41254 via org.springframework:spring-websocket (>=6.2.0 <=6.2.11)

org.springframework:spring-websocket MAVEN version =6.2.0, =0.0.1, =1.1.9, =1.1.9, =3.5.5.3, =3.4.0.0, =3.4.0.0, =3.5.5.3, =1.0.0, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.5 and more Source cves: CVE-2025-41254 Source advisory: OSV:GHSA-7FCH-4F2F-JCGM...

ai.driftkit:driftkit-workflow-controllers (>=0.7.5 <=0.8.7), ai.driftkit:driftkit-workflow-engine-spring-boot-starter (>=0.7.0 <=0.8.7) +1159 more potentially affected by CVE-2025-41254 via org.springframework:spring-websocket (>=6.0.0 <=6.2.11)

org.springframework:spring-websocket MAVEN version =6.0.0, =0.7.5, =0.7.0, =0.5.0, =0.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.6, =1.0.1, =1.0.31 and more Source cves: CVE-2025-41254 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORK-13608629...

Cross-site Request Forgery (CSRF)

Overview org.springframework:spring-websocket is a framework that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF vi...