Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-41254

Severity CVSS v4.0:
Pending analysis
Type:
CWE-352 Cross-Site Request Forgery (CSRF)
Publication date:
16/10/2025
Last modified:
16/10/2025

Description

STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.<br /> <br /> Affected Spring Products and VersionsSpring Framework:<br /> <br /> * 6.2.0 - 6.2.11<br /> * 6.1.0 - 6.1.23<br /> * 6.0.x - 6.0.29<br /> * 5.3.0 - 5.3.45<br /> * Older, unsupported versions are also affected.<br /> <br /> <br /> MitigationUsers of affected versions should upgrade to the corresponding fixed version.<br /> <br /> Affected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.<br /> <br /> CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.

Impact

Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 4.30 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): Low
Availability (A): None

Base Score 3.x
4.30
Severity 3.x
MEDIUM

References to Advisories, Solutions, and Tools