Primary

Context

Spring Framework STOMP over WebSocket Security Bypass Vulnerability Allowing Unauthorized Message Transmission

Vulnerability

Patched

A security bypass vulnerability has been identified in STOMP over WebSocket applications using Spring Framework. This vulnerability allows attackers to send unauthorized messages. It affects multiple Spring Framework versions, including 6.2.0 through 6.2.11, 6.1.0 through 6.1.23, 6.0.x prior to 6.0.29, and 5.3.0 through 5.3.45. Older, unsupported versions are also vulnerable.

Impact

Exploitation of this vulnerability could lead to unauthorized message transmission in STOMP over WebSocket applications, potentially allowing attackers to inject messages into the communication stream.

Remediation

Users of affected Spring Framework versions should upgrade to the following fixed versions: 6.2.x users should upgrade to 6.2.12, 6.1.x users should upgrade to 6.1.24, and 5.3.x users should upgrade to 5.3.46. Instructions for obtaining these versions are available on the Spring Enterprise website.

Added: Oct 16, 2025, 3:22 PM

Updated: Oct 16, 2025, 3:34 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

4.7

remediation

7.7

relevance

0.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

4.7

remediation

7.7

relevance

0.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Framework STOMP over WebSocket Security Bypass Vulnerability Allowing Unauthorized Message Transmission

Vulnerability

Impact

Remediation

Affected Products

Spring Framework

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating