NuytsTech Security

CVE-2025-41254

by ·

STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.

Affected Spring Products and VersionsSpring Framework:

* 6.2.0 – 6.2.11
* 6.1.0 – 6.1.23
* 6.0.x – 6.0.29
* 5.3.0 – 5.3.45
* Older, unsupported versions are also affected.

MitigationUsers of affected versions should upgrade to the corresponding fixed version.

Affected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.

CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.

More information : https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N&version=3.1

Tags: