fkie_cve-2025-41234
Vulnerability from fkie_nvd
Published
2025-06-12 22:15
Modified
2025-06-16 12:32
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
Summary
Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input. Specifically, an application is vulnerable when all the following are true: * The header is prepared with org.springframework.http.ContentDisposition. * The filename is set via ContentDisposition.Builder#filename(String, Charset). * The value for the filename is derived from user-supplied input. * The application does not sanitize the user-supplied input. * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details). An application is not vulnerable if any of the following is true: * The application does not set a “Content-Disposition” response header. * The header is not prepared with org.springframework.http.ContentDisposition. * The filename is set via one of: * ContentDisposition.Builder#filename(String), or * ContentDisposition.Builder#filename(String, ASCII) * The filename is not derived from user-supplied input. * The filename is derived from user-supplied input but sanitized by the application. * The attacker cannot inject malicious content in the downloaded content of the response. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.7 * 6.1.0 - 6.1.20 * 6.0.5 - 6.0.28 * Older, unsupported versions are not affected MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.
References
security@vmware.comhttps://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N&version=3.1
security@vmware.comhttps://nvd.nist.gov/vuln/detail/CVE-2025-41234
security@vmware.comhttps://spring.io/security/cve-2025-41234
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Description\n\nIn Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a \u201cContent-Disposition\u201d header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.\n\nSpecifically, an application is vulnerable when all the following are true:\n\n  *  The header is prepared with org.springframework.http.ContentDisposition.\n  *  The filename is set via ContentDisposition.Builder#filename(String, Charset).\n  *  The value for the filename is derived from user-supplied input.\n  *  The application does not sanitize the user-supplied input.\n  *  The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).\n\n\nAn application is not vulnerable if any of the following is true:\n\n  *  The application does not set a \u201cContent-Disposition\u201d response header.\n  *  The header is not prepared with org.springframework.http.ContentDisposition.\n  *  The filename is set via one of:  *  ContentDisposition.Builder#filename(String), or\n  *  ContentDisposition.Builder#filename(String, ASCII)\n\n\n\n  *  The filename is not derived from user-supplied input.\n  *  The filename is derived from user-supplied input but sanitized by the application.\n  *  The attacker cannot inject malicious content in the downloaded content of the response.\n\n\nAffected Spring Products and VersionsSpring Framework:\n\n  *  6.2.0 - 6.2.7\n  *  6.1.0 - 6.1.20\n  *  6.0.5 - 6.0.28\n  *  Older, unsupported versions are not affected\n\n\nMitigationUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.\n\n\nCWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets."
    },
    {
      "lang": "es",
      "value": "Description In Spring Framework, versiones 6.0.x a 6.0.5, versiones 6.1.x y 6.2.x, una aplicaci\u00f3n es vulnerable a un ataque de descarga de archivo reflejada (RFD) cuando establece un encabezado \"Content-Disposition\" con un juego de caracteres que no es ASCII, donde el atributo filename se deriva de la entrada proporcionada por el usuario. Espec\u00edficamente, una aplicaci\u00f3n es vulnerable cuando todo lo siguiente es verdadero: * El encabezado se prepara con org.springframework.http.ContentDisposition. * El nombre de archivo se establece mediante ContentDisposition.Builder#filename(String, Charset). * El valor para el nombre de archivo se deriva de la entrada proporcionada por el usuario. * La aplicaci\u00f3n no desinfecta la entrada proporcionada por el usuario. * El atacante inyecta el contenido descargado de la respuesta con comandos maliciosos (consulte la referencia del documento RFD para obtener m\u00e1s detalles). Una aplicaci\u00f3n no es vulnerable si se cumple alguna de las siguientes condiciones: * La aplicaci\u00f3n no establece un encabezado de respuesta \"Content-Disposition\". * El encabezado no est\u00e1 preparado con org.springframework.http.ContentDisposition. * El nombre del archivo se establece mediante uno de los siguientes m\u00e9todos: * ContentDisposition.Builder#filename(String) o * ContentDisposition.Builder#filename(String, ASCII). * El nombre del archivo no se deriva de la entrada proporcionada por el usuario. * El nombre del archivo se deriva de la entrada proporcionada por el usuario, pero la aplicaci\u00f3n lo desinfecta. * El atacante no puede inyectar contenido malicioso en el contenido descargado de la respuesta. Productos y versiones de Spring afectados Spring Framework: * 6.2.0 - 6.2.7 * 6.1.0 - 6.1.20 * 6.0.5 - 6.0.28 * Las versiones anteriores sin soporte no se ven afectadas Mitigaci\u00f3n Los usuarios de las versiones afectadas deben actualizar a la versi\u00f3n corregida correspondiente. Versiones afectadas. Versi\u00f3n corregida. Disponibilidad: 6.2.x6.2.8OSS. 6.1.x6.1.21OSS. 6.0.x6.0.29. Comercial: https://enterprise.spring.io/. No se requieren medidas de mitigaci\u00f3n adicionales. El error CWE-113 en la gesti\u00f3n de `Content-Disposition` en VMware Spring Framework, versiones 6.0.5 a 6.2.7, permite a atacantes remotos lanzar ataques de descarga reflejada de archivos (RFD) mediante la entrada de usuario no depurada en `ContentDisposition.Builder#filename(String, Charset)` con conjuntos de caracteres no ASCII."
    }
  ],
  "id": "CVE-2025-41234",
  "lastModified": "2025-06-16T12:32:18.840",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 4.7,
        "source": "security@vmware.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-12T22:15:21.090",
  "references": [
    {
      "source": "security@vmware.com",
      "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N\u0026version=3.1"
    },
    {
      "source": "security@vmware.com",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41234"
    },
    {
      "source": "security@vmware.com",
      "url": "https://spring.io/security/cve-2025-41234"
    }
  ],
  "sourceIdentifier": "security@vmware.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-113"
        }
      ],
      "source": "security@vmware.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.