CVE-2025-41254
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-10-16
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spring | spring_framework | 6.1.0 |
| spring | spring_framework | 6.1.23 |
| spring | spring_framework | 5.3.0 |
| spring | spring_framework | 6.0 |
| spring | spring_framework | 6.2.11 |
| spring | spring_framework | 6.2.0 |
| spring | spring_framework | 5.3.45 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects STOMP over WebSocket applications in certain versions of the Spring Framework. It allows an attacker to bypass security controls and send unauthorized messages through the WebSocket connection.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized message sending, which may result in unauthorized actions or data manipulation within applications using affected Spring Framework versions. This could compromise the integrity of the application's messaging system.
What immediate steps should I take to mitigate this vulnerability?
Users of affected versions should upgrade to the corresponding fixed version as listed: 6.2.x to 6.2.12, 6.1.x to 6.1.24, and 5.3.x to 5.3.46. No further mitigation steps are necessary.