{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-41254", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2025-04-16T09:30:25.626Z", "datePublished": "2025-10-16T14:48:37.350Z", "dateUpdated": "2025-10-16T16:10:14.510Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Spring Framework", "vendor": "VMware", "versions": [{"status": "affected", "version": "5.3.x"}, {"status": "affected", "version": "6.0.x"}, {"status": "affected", "version": "6.1.x"}, {"status": "affected", "version": "6.2.x"}]}], "credits": [{"lang": "en", "type": "finder", "value": "This vulnerability was discovered and responsibly reported by Jannis Kaiser."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p></p><p>STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.</p><h1>Affected Spring Products and Versions</h1><p>Spring Framework:</p><ul><li>6.2.0 - 6.2.11</li><li>6.1.0 - 6.1.23</li><li>6.0.x - 6.0.29</li><li>5.3.0 - 5.3.45</li><li>Older, unsupported versions are also affected.</li></ul><h1>Mitigation</h1><p>Users of affected versions should upgrade to the corresponding fixed version.</p><table><thead><tr><th>Affected version(s)</th><th>Fix version</th><th>Availability</th></tr></thead><tbody><tr><td>6.2.x</td><td>6.2.12</td><td>OSS</td></tr><tr><td>6.1.x</td><td>6.1.24</td><td><a target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\">Commercial</a></td></tr><tr><td>6.0.x</td><td>N/A</td><td><a target=\"_blank\" rel=\"nofollow\" href=\"https://spring.io/projects/spring-framework#support\">Out of support</a></td></tr><tr><td>5.3.x</td><td>5.3.46</td><td><a target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\">Commercial</a></td></tr></tbody></table><p>No further mitigation steps are necessary.</p><h1>Credit</h1><p>This vulnerability was discovered and responsibly reported by Jannis Kaiser.</p><br><p></p>"}], "value": "STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.\n\nAffected Spring Products and VersionsSpring Framework:\n\n * 6.2.0 - 6.2.11\n * 6.1.0 - 6.1.23\n * 6.0.x - 6.0.29\n * 5.3.0 - 5.3.45\n * Older, unsupported versions are also affected.\n\n\nMitigationUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.\n\nCreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2025-10-16T14:54:08.677Z"}, "references": [{"name": "Official Advisory", "url": "https://spring.io/security/cve/2025-41254"}, {"name": "CVSS Calculator", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N&version=3.1"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Users of affected versions should upgrade to fixed releases: 6.2.12 (OSS), 6.1.24 (Commercial), and 5.3.46 (Commercial). No further mitigation steps are necessary.</p>"}], "value": "Users of affected versions should upgrade to fixed releases: 6.2.12 (OSS), 6.1.24 (Commercial), and 5.3.46 (Commercial). No further mitigation steps are necessary."}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2025-10-16T00:00:00.000Z", "value": "Initial vulnerability report published"}], "title": "Spring Framework STOMP CSRF Vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-16T16:10:02.754596Z", "id": "CVE-2025-41254", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-16T16:10:14.510Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-41254", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-16T16:10:02.754596Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-16T16:10:07.805Z"}}], "cna": {"title": "Spring Framework STOMP CSRF Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "This vulnerability was discovered and responsibly reported by Jannis Kaiser."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "VMware", "product": "Spring Framework", "versions": [{"status": "affected", "version": "5.3.x"}, {"status": "affected", "version": "6.0.x"}, {"status": "affected", "version": "6.1.x"}, {"status": "affected", "version": "6.2.x"}], "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-10-16T00:00:00.000Z", "value": "Initial vulnerability report published"}], "solutions": [{"lang": "en", "value": "Users of affected versions should upgrade to fixed releases: 6.2.12 (OSS), 6.1.24 (Commercial), and 5.3.46 (Commercial). No further mitigation steps are necessary.", "supportingMedia": [{"type": "text/html", "value": "<p>Users of affected versions should upgrade to fixed releases: 6.2.12 (OSS), 6.1.24 (Commercial), and 5.3.46 (Commercial). No further mitigation steps are necessary.</p>", "base64": false}]}], "references": [{"url": "https://spring.io/security/cve/2025-41254", "name": "Official Advisory"}, {"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N&version=3.1", "name": "CVSS Calculator"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.\n\nAffected Spring Products and VersionsSpring Framework:\n\n * 6.2.0 - 6.2.11\n * 6.1.0 - 6.1.23\n * 6.0.x - 6.0.29\n * 5.3.0 - 5.3.45\n * Older, unsupported versions are also affected.\n\n\nMitigationUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.\n\nCreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.", "supportingMedia": [{"type": "text/html", "value": "<p></p><p>STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.</p><h1>Affected Spring Products and Versions</h1><p>Spring Framework:</p><ul><li>6.2.0 - 6.2.11</li><li>6.1.0 - 6.1.23</li><li>6.0.x - 6.0.29</li><li>5.3.0 - 5.3.45</li><li>Older, unsupported versions are also affected.</li></ul><h1>Mitigation</h1><p>Users of affected versions should upgrade to the corresponding fixed version.</p><table><thead><tr><th>Affected version(s)</th><th>Fix version</th><th>Availability</th></tr></thead><tbody><tr><td>6.2.x</td><td>6.2.12</td><td>OSS</td></tr><tr><td>6.1.x</td><td>6.1.24</td><td><a target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\">Commercial</a></td></tr><tr><td>6.0.x</td><td>N/A</td><td><a target=\"_blank\" rel=\"nofollow\" href=\"https://spring.io/projects/spring-framework#support\">Out of support</a></td></tr><tr><td>5.3.x</td><td>5.3.46</td><td><a target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\">Commercial</a></td></tr></tbody></table><p>No further mitigation steps are necessary.</p><h1>Credit</h1><p>This vulnerability was discovered and responsibly reported by Jannis Kaiser.</p><br><p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2025-10-16T14:54:08.677Z"}}}, "cveMetadata": {"cveId": "CVE-2025-41254", "state": "PUBLISHED", "dateUpdated": "2025-10-16T16:10:14.510Z", "dateReserved": "2025-04-16T09:30:25.626Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2025-10-16T14:48:37.350Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.\n\nAffected Spring Products and VersionsSpring Framework:\n\n * 6.2.0 - 6.2.11\n * 6.1.0 - 6.1.23\n * 6.0.x - 6.0.29\n * 5.3.0 - 5.3.45\n * Older, unsupported versions are also affected.\n\n\nMitigationUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.\n\nCreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser."}], "id": "CVE-2025-41254", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2025-10-16T15:15:33.417", "references": [{"source": "security@vmware.com", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N&version=3.1"}, {"source": "security@vmware.com", "url": "https://spring.io/security/cve/2025-41254"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"bugzilla": {"description": "org.springframework/spring-core: Spring Framework STOMP CSRF Vulnerability", "id": "2404437", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404437"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-352", "details": ["STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.\nAffected Spring Products and VersionsSpring Framework:\n* 6.2.0 - 6.2.11\n* 6.1.0 - 6.1.23\n* 6.0.x - 6.0.29\n* 5.3.0 - 5.3.45\n* Older, unsupported versions are also affected.\nMitigationUsers of affected versions should upgrade to the corresponding fixed version.\nAffected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.\nCreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-41254", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Fix deferred", "package_name": "spring-core", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "spring-core", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Fix deferred", "package_name": "spring-core", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "spring-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "spring-core-test", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Fix deferred", "package_name": "spring-core", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Fix deferred", "package_name": "spring-core", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "spring-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-core:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "resteasy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "spring-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "spring-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "spring-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "spring-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "spring-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "spring-core", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2025-10-16T14:48:37Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-41254\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-41254\nhttps://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N&version=3.1\nhttps://spring.io/security/cve/2025-41254"], "threat_severity": "Moderate"}

{"created": "2025-10-20T13:25:12.197456+00:00", "updated": "2025-10-20T13:25:12.197480+00:00", "vendors": ["vmware", "vmware$PRODUCT$spring_framework"]}