Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN707
_____________________________________________________________________

DATE                : 16/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring Framework versions prior to
                               6.2.12, 6.1.24, 5.3.46.

=====================================================================
https://spring.io/security/cve-2025-41254/
_____________________________________________________________________

CVE-2025-41254: Spring Framework STOMP CSRF Vulnerability
MEDIUM | OCTOBER 16, 2025 | CVE-2025-41254


Description

STOMP over WebSocket applications may be vulnerable to a security
bypass that allows an attacker to send unauthorized messages.


Affected Spring Products and Versions

Spring Framework:

    6.2.0 - 6.2.11
    6.1.0 - 6.1.23
    6.0.x - 6.0.29
    5.3.0 - 5.3.45
    Older, unsupported versions are also affected.


Mitigation

Users of affected versions should upgrade to the corresponding
fixed version.


Affected version(s) 	Fix version 	Availability

6.2.x                   6.2.12          OSS
6.1.x                   6.1.24          Commercial
6.0.x                   N/A             Out of support
5.3.x                   5.3.46          Commercial

No further mitigation steps are necessary.


Credit

This vulnerability was discovered and responsibly reported by
Jannis Kaiser.


References

    https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N&version=3.1


History

    2025-10-16: Initial vulnerability report published.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================