GHSA-7fch-4f2f-jcgm

Source

https://github.com/advisories/GHSA-7fch-4f2f-jcgm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-7fch-4f2f-jcgm/GHSA-7fch-4f2f-jcgm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7fch-4f2f-jcgm

Aliases

CVE-2025-41254

Related

CGA-mr7j-frhq-6p9w

Published

2025-10-16T15:30:43Z

Modified

2026-02-04T03:56:30.801953Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Spring Framework STOMP over WebSocket applications may allow attackers to send unauthorized messages

Details

STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.

Affected Spring Products and Versions

Spring Framework:

6.2.0 - 6.2.11
6.1.0 - 6.1.23
6.0.x - 6.0.29
5.3.0 - 5.3.45
Older, unsupported versions are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)

No further mitigation steps are necessary.

CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2025-10-16T15:15:33Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "github_reviewed_at": "2025-10-17T17:37:14Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven

org.springframework:spring-websocket

Package

Name: org.springframework:spring-websocket; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-websocket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.12

Affected versions

6.*

6.2.0

6.2.1

6.2.2

6.2.3

6.2.4

6.2.5

6.2.6

6.2.7

6.2.8

6.2.9

6.2.10

6.2.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-7fch-4f2f-jcgm/GHSA-7fch-4f2f-jcgm.json"

org.springframework:spring-websocket

Package

Name: org.springframework:spring-websocket; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-websocket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Last affected

6.1.21

Affected versions

6.*

6.1.0

6.1.1

6.1.2

6.1.3

6.1.4

6.1.5

6.1.6

6.1.7

6.1.8

6.1.9

6.1.10

6.1.11

6.1.12

6.1.13

6.1.14

6.1.15

6.1.16

6.1.17

6.1.18

6.1.19

6.1.20

6.1.21

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-7fch-4f2f-jcgm/GHSA-7fch-4f2f-jcgm.json"

org.springframework:spring-websocket

Package

Name: org.springframework:spring-websocket; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-websocket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Last affected

6.0.23

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

6.0.9

6.0.10

6.0.11

6.0.12

6.0.13

6.0.14

6.0.15

6.0.16

6.0.17

6.0.18

6.0.19

6.0.20

6.0.21

6.0.22

6.0.23

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-7fch-4f2f-jcgm/GHSA-7fch-4f2f-jcgm.json"

org.springframework:spring-websocket

Package

Name: org.springframework:spring-websocket; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring-websocket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

5.3.39

Affected versions

4.*

4.0.0.RELEASE

4.0.1.RELEASE

4.0.2.RELEASE

4.0.3.RELEASE

4.0.4.RELEASE

4.0.5.RELEASE

4.0.6.RELEASE

4.0.7.RELEASE

4.0.8.RELEASE

4.0.9.RELEASE

4.1.0.RELEASE

4.1.1.RELEASE

4.1.2.RELEASE

4.1.3.RELEASE

4.1.4.RELEASE

4.1.5.RELEASE

4.1.6.RELEASE

4.1.7.RELEASE

4.1.8.RELEASE

4.1.9.RELEASE

4.2.0.RELEASE

4.2.1.RELEASE

4.2.2.RELEASE

4.2.3.RELEASE

4.2.4.RELEASE

4.2.5.RELEASE

4.2.6.RELEASE

4.2.7.RELEASE

4.2.8.RELEASE

4.2.9.RELEASE

4.3.0.RELEASE

4.3.1.RELEASE

4.3.2.RELEASE

4.3.3.RELEASE

4.3.4.RELEASE

4.3.5.RELEASE

4.3.6.RELEASE

4.3.7.RELEASE

4.3.8.RELEASE

4.3.9.RELEASE

4.3.10.RELEASE

4.3.11.RELEASE

4.3.12.RELEASE

4.3.13.RELEASE

4.3.14.RELEASE

4.3.15.RELEASE

4.3.16.RELEASE

4.3.17.RELEASE

4.3.18.RELEASE

4.3.19.RELEASE

4.3.20.RELEASE

4.3.21.RELEASE

4.3.22.RELEASE

4.3.23.RELEASE

4.3.24.RELEASE

4.3.25.RELEASE

4.3.26.RELEASE

4.3.27.RELEASE

4.3.28.RELEASE

4.3.29.RELEASE

4.3.30.RELEASE

5.*

5.0.0.RELEASE

5.0.1.RELEASE

5.0.2.RELEASE

5.0.3.RELEASE

5.0.4.RELEASE

5.0.5.RELEASE

5.0.6.RELEASE

5.0.7.RELEASE

5.0.8.RELEASE

5.0.9.RELEASE

5.0.10.RELEASE

5.0.11.RELEASE

5.0.12.RELEASE

5.0.13.RELEASE

5.0.14.RELEASE

5.0.15.RELEASE

5.0.16.RELEASE

5.0.17.RELEASE

5.0.18.RELEASE

5.0.19.RELEASE

5.0.20.RELEASE

5.1.0.RELEASE

5.1.1.RELEASE

5.1.2.RELEASE

5.1.3.RELEASE

5.1.4.RELEASE

5.1.5.RELEASE

5.1.6.RELEASE

5.1.7.RELEASE

5.1.8.RELEASE

5.1.9.RELEASE

5.1.10.RELEASE

5.1.11.RELEASE

5.1.12.RELEASE

5.1.13.RELEASE

5.1.14.RELEASE

5.1.15.RELEASE

5.1.16.RELEASE

5.1.17.RELEASE

5.1.18.RELEASE

5.1.19.RELEASE

5.1.20.RELEASE

5.2.0.RELEASE

5.2.1.RELEASE

5.2.2.RELEASE

5.2.3.RELEASE

5.2.4.RELEASE

5.2.5.RELEASE

5.2.6.RELEASE

5.2.7.RELEASE

5.2.8.RELEASE

5.2.9.RELEASE

5.2.10.RELEASE

5.2.11.RELEASE

5.2.12.RELEASE

5.2.13.RELEASE

5.2.14.RELEASE

5.2.15.RELEASE

5.2.16.RELEASE

5.2.17.RELEASE

5.2.18.RELEASE

5.2.19.RELEASE

5.2.20.RELEASE

5.2.21.RELEASE

5.2.22.RELEASE

5.2.23.RELEASE

5.2.24.RELEASE

5.2.25.RELEASE

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.3.10

5.3.11

5.3.12

5.3.13

5.3.14

5.3.15

5.3.16

5.3.17

5.3.18

5.3.19

5.3.20

5.3.21

5.3.22

5.3.23

5.3.24

5.3.25

5.3.26

5.3.27

5.3.28

5.3.29

5.3.30

5.3.31

5.3.32

5.3.33

5.3.34

5.3.35

5.3.36

5.3.37

5.3.38

5.3.39

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-7fch-4f2f-jcgm/GHSA-7fch-4f2f-jcgm.json"