CVE-2025-41234: 
Java vulnerability analysis and mitigation

CVE-2025-41234 is a medium-severity vulnerability (CVSS 6.5) discovered in Spring Framework that enables Reflected File Download (RFD) attacks. The vulnerability was disclosed on June 12, 2025, affecting Spring Framework versions 6.0.5-6.0.28, 6.1.0-6.1.20, and 6.2.0-6.2.7. The vulnerability occurs when an application sets a Content-Disposition header with a non-ASCII charset where the filename attribute is derived from user-supplied input (Spring Security, Wiz).

The vulnerability is triggered when an application uses org.springframework.http.ContentDisposition to prepare the Content-Disposition header and sets the filename using ContentDisposition.Builder#filename(String, Charset) with a non-ASCII charset. The issue has been assigned CWE-113 and carries a CVSS v3.1 score of 6.5 (Medium) with the vector string AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N, indicating network accessibility with high attack complexity, low privileges required, and user interaction needed (Spring Security, NVD).

When successfully exploited, this vulnerability allows attackers to perform Reflected File Download (RFD) attacks. RFD is a technique where attackers can trick a user's browser into downloading a malicious file with a deceptive name and executable content by leveraging improperly set HTTP headers. This can lead to high confidentiality impact and low integrity impact, while availability remains unaffected (Wiz).

Users of affected versions should upgrade to the corresponding fixed versions: 6.2.8 for 6.2.x users, 6.1.21 for 6.1.x users, and 6.0.29 for commercial 6.0.x users. Applications are not vulnerable if they don't set Content-Disposition headers, don't use Spring ContentDisposition builder, use filename(String) or filename(String, ASCII) instead of the affected method, or properly sanitize user input. No further mitigation steps are necessary after upgrading (Spring Security, Spring Blog).

The vulnerability was responsibly reported by Jakob Linskeseder from the Dynatrace Security Team. Spring has released security patches promptly, with Spring Framework 6.1.21 and 6.2.8 being made available immediately. These versions will be included in upcoming Spring Boot releases 3.4.7 and 3.5.1 (Spring Blog).