Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN518
_____________________________________________________________________

DATE                : 14/08/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring Framework versions prior
                             to 6.2.10, 6.1.22, 5.3.44.

=====================================================================
https://spring.io/security/cve-2025-41242/
_____________________________________________________________________

CVE-2025-41242: Path traversal vulnerability on non-compliant Servlet
containers
MEDIUM | AUGUST 14, 2025 | CVE-2025-41242

Description

Spring Framework MVC applications can be vulnerable to a “Path
Traversal Vulnerability” when deployed on a non-compliant Servlet
container.

An application can be vulnerable when all the following are true:

    the application is deployed as a WAR or with an embedded Servlet
container
    the Servlet container does not reject suspicious sequences
    the application serves static resources with Spring resource
handling


We have verified that applications deployed on Apache Tomcat or Eclipse
Jetty are not vulnerable, as long as default security features are not
disabled in the configuration. Because we cannot check exploits against
all Servlet containers and configuration variants, we strongly
recommend upgrading your application.


Affected Spring Products and Versions

Spring Framework:

    6.2.0 - 6.2.9
    6.1.0 - 6.1.21
    6.0.0 - 6.0.29
    5.3.0 - 5.3.43
    Older, unsupported versions are also affected.


Mitigation

Users of affected versions should upgrade to the corresponding fixed
version.


Affected version(s) 	Fix version 	Availability

6.2.x 	6.2.10 	OSS
6.1.x 	6.1.22 	Commercial
6.0.x 	N/A 	Out of support
5.3.x 	5.3.44 	Commercial

No further mitigation steps are necessary.


Credit

This issue was responsibly reported by 1ue and b1u3r from
Vidar-Team, and Joakim Erdfelt from Webtide.


References

    https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1


History

    2025-08-14: Initial vulnerability report published.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================