Skip to content

Spring Framework vulnerable to a reflected file download (RFD)

Moderate severity GitHub Reviewed Published Jun 13, 2025 to the GitHub Advisory Database • Updated Jun 13, 2025

Package

maven org.springframework:spring-web (Maven)

Affected versions

>= 6.2.0, < 6.2.8
>= 6.1.0, < 6.1.21
>= 6.0.5, <= 6.0.23

Patched versions

6.2.8
6.1.21

Description

Description

In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.

Specifically, an application is vulnerable when all the following are true:

  • The header is prepared with org.springframework.http.ContentDisposition.
  • The filename is set via ContentDisposition.Builder#filename(String, Charset).
  • The value for the filename is derived from user-supplied input.
  • The application does not sanitize the user-supplied input.
  • The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).

An application is not vulnerable if any of the following is true:

  • The application does not set a “Content-Disposition” response header.
  • The header is not prepared with org.springframework.http.ContentDisposition.
  • The filename is set via one of:
    • ContentDisposition.Builder#filename(String), or
    • ContentDisposition.Builder#filename(String, ASCII)
  • The filename is not derived from user-supplied input.
  • The filename is derived from user-supplied input but sanitized by the application.
  • The attacker cannot inject malicious content in the downloaded content of the response.

Affected Spring Products and VersionsSpring Framework

  • 6.2.0 - 6.2.7
  • 6.1.0 - 6.1.20
  • 6.0.5 - 6.0.28
  • Older, unsupported versions are not affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
6.2.x 6.2.8 OSS
6.1.x 6.1.21 OSS
6.0.x 6.0.29 Commercial

No further mitigation steps are necessary.

References

Published by the National Vulnerability Database Jun 12, 2025
Published to the GitHub Advisory Database Jun 13, 2025
Reviewed Jun 13, 2025
Last updated Jun 13, 2025

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(36th percentile)

Weaknesses

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. Learn more on MITRE.

CVE ID

CVE-2025-41234

GHSA ID

GHSA-6r3c-xf4w-jxjm

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.