CVE-2025-41242

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-41242
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-41242.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-41242
Aliases
Downstream
Related
Published
2025-08-18T09:15:28Z
Modified
2025-08-19T08:50:51.506698Z
Summary
[none]
Details

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.

An application can be vulnerable when all the following are true:

  • the application is deployed as a WAR or with an embedded Servlet container
  • the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization
  • the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with Spring resource handling

We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.

References

Affected packages

Debian:11 / libspring-java

Package

Name
libspring-java
Purl
pkg:deb/debian/libspring-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.3.30-1
4.3.30-2
4.3.30-3

Ecosystem specific 

{
    "urgency": "unimportant"
}

Debian:12 / libspring-java

Package

Name
libspring-java
Purl
pkg:deb/debian/libspring-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.3.30-2
4.3.30-3

Ecosystem specific 

{
    "urgency": "unimportant"
}

Debian:13 / libspring-java

Package

Name
libspring-java
Purl
pkg:deb/debian/libspring-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.3.30-3

Ecosystem specific 

{
    "urgency": "unimportant"
}

Debian:14 / libspring-java

Package

Name
libspring-java
Purl
pkg:deb/debian/libspring-java?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.3.30-3

Ecosystem specific 

{
    "urgency": "unimportant"
}