Primary

Context

Spring Framework Path Traversal Vulnerability in Non-Compliant Servlet Containers

Vulnerability

Patched

A path traversal vulnerability has been identified in Spring Framework MVC applications deployed on non-compliant Servlet containers. This vulnerability arises when the application is packaged as a WAR file or uses an embedded Servlet container, and the Servlet container fails to properly sanitize URI path sequences. Additionally, the application must serve static resources through Spring's resource handling. While applications on Apache Tomcat and Eclipse Jetty are not vulnerable if default security settings are maintained, this issue can affect several different versions and ranges of Spring Framework.

Impact

Exploitation of this vulnerability allows for path traversal, potentially leading to unauthorized access to files outside the intended directory.

Remediation

Users of Spring Framework versions 6.2.x should upgrade to 6.2.10, those on 6.1.x should upgrade to 6.1.22, and users on 5.3.x should upgrade to 5.3.44. Version 6.0.x is out of support.

Added: Aug 18, 2025, 9:18 AM

Updated: Aug 18, 2025, 9:18 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.3

exploitability

4.7

remediation

7.7

relevance

0.4

threat

0.1

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.3

exploitability

4.7

remediation

7.7

relevance

0.4

threat

0.1

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Framework Path Traversal Vulnerability in Non-Compliant Servlet Containers

Vulnerability

Impact

Remediation

Affected Products

Spring Framework

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating