Description

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization * the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with Spring resource handling We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.

INFO

Published Date :

2025-08-18T08:47:07.427Z

Last Modified :

2025-08-25T18:14:59.837Z

Source :

vmware
AFFECTED PRODUCTS

The following products are affected by CVE-2025-41242 vulnerability.

Vendors Products
Vmware
  • Spring Framework
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-41242.

URL Resource
http://spring.io/security/cve-2025-41242 cve-icon cve-icon cve-icon
https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title cve-icon
https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-41242 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-41242 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact