Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-41234

Severity CVSS v4.0:
Pending analysis
Type:
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Publication date:
12/06/2025
Last modified:
16/06/2025

Description

Description<br /> <br /> In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.<br /> <br /> Specifically, an application is vulnerable when all the following are true:<br /> <br /> * The header is prepared with org.springframework.http.ContentDisposition.<br /> * The filename is set via ContentDisposition.Builder#filename(String, Charset).<br /> * The value for the filename is derived from user-supplied input.<br /> * The application does not sanitize the user-supplied input.<br /> * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).<br /> <br /> <br /> An application is not vulnerable if any of the following is true:<br /> <br /> * The application does not set a “Content-Disposition” response header.<br /> * The header is not prepared with org.springframework.http.ContentDisposition.<br /> * The filename is set via one of: * ContentDisposition.Builder#filename(String), or<br /> * ContentDisposition.Builder#filename(String, ASCII)<br /> <br /> <br /> <br /> * The filename is not derived from user-supplied input.<br /> * The filename is derived from user-supplied input but sanitized by the application.<br /> * The attacker cannot inject malicious content in the downloaded content of the response.<br /> <br /> <br /> Affected Spring Products and VersionsSpring Framework:<br /> <br /> * 6.2.0 - 6.2.7<br /> * 6.1.0 - 6.1.20<br /> * 6.0.5 - 6.0.28<br /> * Older, unsupported versions are not affected<br /> <br /> <br /> MitigationUsers of affected versions should upgrade to the corresponding fixed version.<br /> <br /> Affected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.<br /> <br /> <br /> CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.

Impact

Vector 3.x
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 6.50 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): High
Integrity (I): Low
Availability (A): None

Base Score 3.x
6.50
Severity 3.x
MEDIUM

References to Advisories, Solutions, and Tools