{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-41234", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2025-04-16T09:29:46.972Z", "datePublished": "2025-06-12T21:14:42.957Z", "dateUpdated": "2025-06-13T14:03:35.406Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Spring Framework", "vendor": "VMware", "versions": [{"changes": [{"at": "6.0.29", "status": "unaffected"}], "lessThanOrEqual": "6.0.28", "status": "affected", "version": "6.0.5", "versionType": "COMMERCIAL"}, {"changes": [{"at": "6.1.21", "status": "unaffected"}], "lessThanOrEqual": "6.1.20", "status": "affected", "version": "6.1.0", "versionType": "OSS"}, {"changes": [{"at": "6.2.8", "status": "unaffected"}], "lessThanOrEqual": "6.2.7", "status": "affected", "version": "6.2.0", "versionType": "OSS"}]}], "datePublic": "2025-06-12T21:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p></p><h1>Description</h1><p></p><p>In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a \u201cContent-Disposition\u201d header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.</p><p>Specifically, an application is vulnerable when all the following are true:</p><ul><li>The header is prepared with <code>org.springframework.http.ContentDisposition</code>.</li><li>The filename is set via <code>ContentDisposition.Builder#filename(String, Charset)</code>.</li><li>The value for the filename is derived from user-supplied input.</li><li>The application does not sanitize the user-supplied input.</li><li>The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).</li></ul><p>An application is not vulnerable if any of the following is true:</p><ul><li>The application does not set a \u201cContent-Disposition\u201d response header.</li><li>The header is not prepared with <code>org.springframework.http.ContentDisposition</code>.</li><li>The filename is set via one of:<ul><li><code>ContentDisposition.Builder#filename(String)</code>, or</li><li><code>ContentDisposition.Builder#filename(String, ASCII)</code></li></ul></li><li>The filename is not derived from user-supplied input.</li><li>The filename is derived from user-supplied input but sanitized by the application.</li><li>The attacker cannot inject malicious content in the downloaded content of the response.</li></ul><h1>Affected Spring Products and Versions</h1><p>Spring Framework:</p><ul><li>6.2.0 - 6.2.7</li><li>6.1.0 - 6.1.20</li><li>6.0.5 - 6.0.28</li><li>Older, unsupported versions are not affected</li></ul><h1>Mitigation</h1><p>Users of affected versions should upgrade to the corresponding fixed version.</p><table><thead><tr><th>Affected version(s)</th><th>Fix version</th><th>Availability</th></tr></thead><tbody><tr><td>6.2.x</td><td>6.2.8</td><td>OSS</td></tr><tr><td>6.1.x</td><td>6.1.21</td><td>OSS</td></tr><tr><td>6.0.x</td><td>6.0.29</td><td><a target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\">Commercial</a></td></tr></tbody></table><p>No further mitigation steps are necessary.</p><br>CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets."}], "value": "Description\n\nIn Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a \u201cContent-Disposition\u201d header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.\n\nSpecifically, an application is vulnerable when all the following are true:\n\n * The header is prepared with org.springframework.http.ContentDisposition.\n * The filename is set via ContentDisposition.Builder#filename(String, Charset).\n * The value for the filename is derived from user-supplied input.\n * The application does not sanitize the user-supplied input.\n * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).\n\n\nAn application is not vulnerable if any of the following is true:\n\n * The application does not set a \u201cContent-Disposition\u201d response header.\n * The header is not prepared with org.springframework.http.ContentDisposition.\n * The filename is set via one of: * ContentDisposition.Builder#filename(String), or\n * ContentDisposition.Builder#filename(String, ASCII)\n\n\n\n * The filename is not derived from user-supplied input.\n * The filename is derived from user-supplied input but sanitized by the application.\n * The attacker cannot inject malicious content in the downloaded content of the response.\n\n\nAffected Spring Products and VersionsSpring Framework:\n\n * 6.2.0 - 6.2.7\n * 6.1.0 - 6.1.20\n * 6.0.5 - 6.0.28\n * Older, unsupported versions are not affected\n\n\nMitigationUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.\n\n\nCWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Allows Reflected File Download (RFD) leading to potential compromise of confidentiality and integrity through malicious content injection in downloaded files."}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-113", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2025-06-12T21:14:42.957Z"}, "references": [{"url": "https://spring.io/security/cve-2025-41234"}, {"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41234"}, {"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N&version=3.1"}], "source": {"discovery": "UNKNOWN"}, "title": "RFD Attack via \u201cContent-Disposition\u201d Header Sourced from Request", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-13T14:03:20.791564Z", "id": "CVE-2025-41234", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T14:03:35.406Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-41234", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-13T14:03:20.791564Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T14:03:26.685Z"}}], "cna": {"title": "RFD Attack via \u201cContent-Disposition\u201d Header Sourced from Request", "source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Allows Reflected File Download (RFD) leading to potential compromise of confidentiality and integrity through malicious content injection in downloaded files."}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "VMware", "product": "Spring Framework", "versions": [{"status": "affected", "changes": [{"at": "6.0.29", "status": "unaffected"}], "version": "6.0.5", "versionType": "COMMERCIAL", "lessThanOrEqual": "6.0.28"}, {"status": "affected", "changes": [{"at": "6.1.21", "status": "unaffected"}], "version": "6.1.0", "versionType": "OSS", "lessThanOrEqual": "6.1.20"}, {"status": "affected", "changes": [{"at": "6.2.8", "status": "unaffected"}], "version": "6.2.0", "versionType": "OSS", "lessThanOrEqual": "6.2.7"}], "defaultStatus": "unaffected"}], "datePublic": "2025-06-12T21:00:00.000Z", "references": [{"url": "https://spring.io/security/cve-2025-41234"}, {"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41234"}, {"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N&version=3.1"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Description\n\nIn Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a \u201cContent-Disposition\u201d header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.\n\nSpecifically, an application is vulnerable when all the following are true:\n\n * The header is prepared with org.springframework.http.ContentDisposition.\n * The filename is set via ContentDisposition.Builder#filename(String, Charset).\n * The value for the filename is derived from user-supplied input.\n * The application does not sanitize the user-supplied input.\n * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).\n\n\nAn application is not vulnerable if any of the following is true:\n\n * The application does not set a \u201cContent-Disposition\u201d response header.\n * The header is not prepared with org.springframework.http.ContentDisposition.\n * The filename is set via one of: * ContentDisposition.Builder#filename(String), or\n * ContentDisposition.Builder#filename(String, ASCII)\n\n\n\n * The filename is not derived from user-supplied input.\n * The filename is derived from user-supplied input but sanitized by the application.\n * The attacker cannot inject malicious content in the downloaded content of the response.\n\n\nAffected Spring Products and VersionsSpring Framework:\n\n * 6.2.0 - 6.2.7\n * 6.1.0 - 6.1.20\n * 6.0.5 - 6.0.28\n * Older, unsupported versions are not affected\n\n\nMitigationUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.\n\n\nCWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.", "supportingMedia": [{"type": "text/html", "value": "<p></p><h1>Description</h1><p></p><p>In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a \u201cContent-Disposition\u201d header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.</p><p>Specifically, an application is vulnerable when all the following are true:</p><ul><li>The header is prepared with <code>org.springframework.http.ContentDisposition</code>.</li><li>The filename is set via <code>ContentDisposition.Builder#filename(String, Charset)</code>.</li><li>The value for the filename is derived from user-supplied input.</li><li>The application does not sanitize the user-supplied input.</li><li>The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).</li></ul><p>An application is not vulnerable if any of the following is true:</p><ul><li>The application does not set a \u201cContent-Disposition\u201d response header.</li><li>The header is not prepared with <code>org.springframework.http.ContentDisposition</code>.</li><li>The filename is set via one of:<ul><li><code>ContentDisposition.Builder#filename(String)</code>, or</li><li><code>ContentDisposition.Builder#filename(String, ASCII)</code></li></ul></li><li>The filename is not derived from user-supplied input.</li><li>The filename is derived from user-supplied input but sanitized by the application.</li><li>The attacker cannot inject malicious content in the downloaded content of the response.</li></ul><h1>Affected Spring Products and Versions</h1><p>Spring Framework:</p><ul><li>6.2.0 - 6.2.7</li><li>6.1.0 - 6.1.20</li><li>6.0.5 - 6.0.28</li><li>Older, unsupported versions are not affected</li></ul><h1>Mitigation</h1><p>Users of affected versions should upgrade to the corresponding fixed version.</p><table><thead><tr><th>Affected version(s)</th><th>Fix version</th><th>Availability</th></tr></thead><tbody><tr><td>6.2.x</td><td>6.2.8</td><td>OSS</td></tr><tr><td>6.1.x</td><td>6.1.21</td><td>OSS</td></tr><tr><td>6.0.x</td><td>6.0.29</td><td><a target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\">Commercial</a></td></tr></tbody></table><p>No further mitigation steps are necessary.</p><br>CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-113", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2025-06-12T21:14:42.957Z"}}}, "cveMetadata": {"cveId": "CVE-2025-41234", "state": "PUBLISHED", "dateUpdated": "2025-06-13T14:03:35.406Z", "dateReserved": "2025-04-16T09:29:46.972Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2025-06-12T21:14:42.957Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Description\n\nIn Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a \u201cContent-Disposition\u201d header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.\n\nSpecifically, an application is vulnerable when all the following are true:\n\n * The header is prepared with org.springframework.http.ContentDisposition.\n * The filename is set via ContentDisposition.Builder#filename(String, Charset).\n * The value for the filename is derived from user-supplied input.\n * The application does not sanitize the user-supplied input.\n * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).\n\n\nAn application is not vulnerable if any of the following is true:\n\n * The application does not set a \u201cContent-Disposition\u201d response header.\n * The header is not prepared with org.springframework.http.ContentDisposition.\n * The filename is set via one of: * ContentDisposition.Builder#filename(String), or\n * ContentDisposition.Builder#filename(String, ASCII)\n\n\n\n * The filename is not derived from user-supplied input.\n * The filename is derived from user-supplied input but sanitized by the application.\n * The attacker cannot inject malicious content in the downloaded content of the response.\n\n\nAffected Spring Products and VersionsSpring Framework:\n\n * 6.2.0 - 6.2.7\n * 6.1.0 - 6.1.20\n * 6.0.5 - 6.0.28\n * Older, unsupported versions are not affected\n\n\nMitigationUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.\n\n\nCWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets."}, {"lang": "es", "value": "Description In Spring Framework, versiones 6.0.x a 6.0.5, versiones 6.1.x y 6.2.x, una aplicaci\u00f3n es vulnerable a un ataque de descarga de archivo reflejada (RFD) cuando establece un encabezado \"Content-Disposition\" con un juego de caracteres que no es ASCII, donde el atributo filename se deriva de la entrada proporcionada por el usuario. Espec\u00edficamente, una aplicaci\u00f3n es vulnerable cuando todo lo siguiente es verdadero: * El encabezado se prepara con org.springframework.http.ContentDisposition. * El nombre de archivo se establece mediante ContentDisposition.Builder#filename(String, Charset). * El valor para el nombre de archivo se deriva de la entrada proporcionada por el usuario. * La aplicaci\u00f3n no desinfecta la entrada proporcionada por el usuario. * El atacante inyecta el contenido descargado de la respuesta con comandos maliciosos (consulte la referencia del documento RFD para obtener m\u00e1s detalles). Una aplicaci\u00f3n no es vulnerable si se cumple alguna de las siguientes condiciones: * La aplicaci\u00f3n no establece un encabezado de respuesta \"Content-Disposition\". * El encabezado no est\u00e1 preparado con org.springframework.http.ContentDisposition. * El nombre del archivo se establece mediante uno de los siguientes m\u00e9todos: * ContentDisposition.Builder#filename(String) o * ContentDisposition.Builder#filename(String, ASCII). * El nombre del archivo no se deriva de la entrada proporcionada por el usuario. * El nombre del archivo se deriva de la entrada proporcionada por el usuario, pero la aplicaci\u00f3n lo desinfecta. * El atacante no puede inyectar contenido malicioso en el contenido descargado de la respuesta. Productos y versiones de Spring afectados Spring Framework: * 6.2.0 - 6.2.7 * 6.1.0 - 6.1.20 * 6.0.5 - 6.0.28 * Las versiones anteriores sin soporte no se ven afectadas Mitigaci\u00f3n Los usuarios de las versiones afectadas deben actualizar a la versi\u00f3n corregida correspondiente. Versiones afectadas. Versi\u00f3n corregida. Disponibilidad: 6.2.x6.2.8OSS. 6.1.x6.1.21OSS. 6.0.x6.0.29. Comercial: https://enterprise.spring.io/. No se requieren medidas de mitigaci\u00f3n adicionales. El error CWE-113 en la gesti\u00f3n de `Content-Disposition` en VMware Spring Framework, versiones 6.0.5 a 6.2.7, permite a atacantes remotos lanzar ataques de descarga reflejada de archivos (RFD) mediante la entrada de usuario no depurada en `ContentDisposition.Builder#filename(String, Charset)` con conjuntos de caracteres no ASCII."}], "id": "CVE-2025-41234", "lastModified": "2025-06-16T12:32:18.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 4.7, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2025-06-12T22:15:21.090", "references": [{"source": "security@vmware.com", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N&version=3.1"}, {"source": "security@vmware.com", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41234"}, {"source": "security@vmware.com", "url": "https://spring.io/security/cve-2025-41234"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-113"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"bugzilla": {"description": "springframework: Reflected download attack in Spring Framework with non-ASCII headers", "id": "2372578", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2372578"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-113", "details": ["Description\nIn Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a \u201cContent-Disposition\u201d header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.\nSpecifically, an application is vulnerable when all the following are true:\n* The header is prepared with org.springframework.http.ContentDisposition.\n* The filename is set via ContentDisposition.Builder#filename(String, Charset).\n* The value for the filename is derived from user-supplied input.\n* The application does not sanitize the user-supplied input.\n* The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).\nAn application is not vulnerable if any of the following is true:\n* The application does not set a \u201cContent-Disposition\u201d response header.\n* The header is not prepared with org.springframework.http.ContentDisposition.\n* The filename is set via one of: * ContentDisposition.Builder#filename(String), or\n* ContentDisposition.Builder#filename(String, ASCII)\n* The filename is not derived from user-supplied input.\n* The filename is derived from user-supplied input but sanitized by the application.\n* The attacker cannot inject malicious content in the downloaded content of the response.\nAffected Spring Products and VersionsSpring Framework:\n* 6.2.0 - 6.2.7\n* 6.1.0 - 6.1.20\n* 6.0.5 - 6.0.28\n* Older, unsupported versions are not affected\nMitigationUsers of affected versions should upgrade to the corresponding fixed version.\nAffected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.\nCWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.", "A mishandling of non-ASCII characters in headers flaw was found in the Spring framework. This flaw allows an attacker to tamper with a file download under specific conditions when content names are user-supplied, and the victim then downloads unintended content."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-41234", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Fix deferred", "package_name": "spring-web", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Fix deferred", "package_name": "quarkus-camel-bom", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Fix deferred", "package_name": "quarkus-cxf-bom", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "spring-web", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Fix deferred", "package_name": "spring-web", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "spring-web", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "xbean", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "javapackages-tools:201801/xbean", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-core:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "resteasy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "xbean", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "spring-web", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Fix deferred", "package_name": "spring-web", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "spring-web", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "spring-web", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "spring-web", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Fix deferred", "package_name": "spring-web", "product_name": "streams for Apache Kafka"}], "public_date": "2025-06-12T21:14:42Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-41234\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-41234\nhttps://github.com/spring-projects/spring-framework/commit/f0e7b42704e6b33958f242d91bd690d6ef7ada9c\nhttps://github.com/spring-projects/spring-framework/commit/fd68ea6fcbf94fc1d38bfefd3692fe094652ab3d\nhttps://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N&version=3.1\nhttps://spring.io/security/cve-2025-41234"], "threat_severity": "Moderate"}