CVE-2025-41254

CWE-352 — Cross-Site Request Forgery (CSRF)7 documents6 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 81.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Framework

Timeline

PublishedOct 16

Description

STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.11 * 6.1.0 - 6.1.23 * 6.0.x - 6.0.29 * 5.3.0 - 5.3.45 * Older, unsupported versions are also affected. MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶Mavenorg.springframework:spring-websocket6.2.0 — 6.2.12+3

▶CVEListV5vmware/spring_framework4 versions+3

🔴Vulnerability Details

OSV

CVE-2025-41254: STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages↗2025-10-16

▶

OSV

Spring Framework STOMP over WebSocket applications may allow attackers to send unauthorized messages↗2025-10-16

▶

CVEList

Spring Framework STOMP CSRF Vulnerability↗2025-10-16

▶

GHSA

Spring Framework STOMP over WebSocket applications may allow attackers to send unauthorized messages↗2025-10-16

▶

📋Vendor Advisories

Red Hat

org.springframework/spring-core: Spring Framework STOMP CSRF Vulnerability↗2025-10-16

▶

Debian

CVE-2025-41254: libspring-java - STOMP over WebSocket applications may be vulnerable to a security bypass that al...↗2025

▶