CVE-2025-41242: 
Apache Log4j vulnerability analysis and mitigation

Spring Framework MVC applications were found to be vulnerable to a Path Traversal Vulnerability (CVE-2025-41242) when deployed on non-compliant Servlet containers. The vulnerability was disclosed on August 14, 2025, affecting Spring Framework versions 6.2.0-6.2.9, 6.1.0-6.1.21, 6.0.0-6.0.29, and 5.3.0-5.3.43. The vulnerability occurs when applications are deployed as WAR or with embedded Servlet containers, the Servlet container does not reject suspicious sequences, and the application serves static resources with Spring resource handling (Spring Security).

The vulnerability is classified as MEDIUM severity with a CVSS v3.1 base score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). It has been categorized as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). Applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable when using default security features (NVD, Spring Security).

The vulnerability could potentially allow attackers to perform path traversal attacks on affected systems, leading to unauthorized access to files outside the intended directory structure. The CVSS scoring indicates high potential for confidentiality impact, though integrity and availability are not affected (Spring Security).

Users are strongly recommended to upgrade to the fixed versions: 6.2.10 for open-source users, while commercial customers should upgrade to 6.1.22 or 5.3.44. Spring Boot users with commercial subscriptions can access hotfix releases 2.7.28.1, 3.2.17.1, and 3.3.14.1. No additional mitigation steps are necessary after upgrading (Spring Blog).

The vulnerability was responsibly reported by security researchers 1ue and b1u3r from Vidar-Team, along with Joakim Erdfelt from Webtide. The Spring team has responded promptly by releasing patches for both open-source and commercial versions (Spring Security).