CVE-2025-41242

CWE-22 — Path Traversal7 documents6 sources

Severity

5.9MEDIUM

EPSS

0.1%

top 77.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Framework

Timeline

PublishedAug 18

Description

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization * the application serves static resources https://do…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶Mavenorg.springframework:spring-webmvc6.2.0 — 6.2.10+3

▶CVEListV5vmware/spring_framework6.2.x — 6.2.10+2

🔴Vulnerability Details

GHSA

Spring Framework MVC Applications Path Traversal Vulnerability↗2025-08-18

▶

OSV

CVE-2025-41242: Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container↗2025-08-18

▶

OSV

Spring Framework MVC Applications Path Traversal Vulnerability↗2025-08-18

▶

CVEList

CVE-2025-41242: Path traversal vulnerability on non-compliant Servlet containers↗2025-08-18

▶

📋Vendor Advisories

Red Hat

org.springframework/spring-webmvc: Spring Framework MVC path traversal vulnerability↗2025-08-18

▶

Debian

CVE-2025-41242: libspring-java - Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnera...↗2025

▶