CVE-2025-41254: 
Java vulnerability analysis and mitigation

CVE-2025-41254 is a Spring Framework STOMP CSRF Vulnerability discovered and reported by Jannis Kaiser on October 16, 2025. The vulnerability affects multiple versions of Spring Framework including 6.2.0-6.2.11, 6.1.0-6.1.23, 6.0.x-6.0.29, and 5.3.0-5.3.45, as well as older unsupported versions (Spring Security).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) vulnerability (CWE-352) that affects STOMP over WebSocket applications. It enables a security bypass allowing attackers to send unauthorized messages. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).

The vulnerability allows attackers to send unauthorized messages through STOMP over WebSocket applications, potentially compromising the integrity of the application's messaging system. The CVSS scoring indicates low impact on integrity with no direct impact on confidentiality or availability (VMware CVSS).

Users of affected versions should upgrade to the corresponding fixed versions: 6.2.12 (OSS), 6.1.24 (Commercial), or 5.3.46 (Commercial). Version 6.0.x is out of support and has no fix available. Commercial customers using Spring Boot 2.7, 3.1, or 3.2 can utilize Spring Boot Hotfix releases 2.7.29.2, 3.2.18.2, and 3.3.15.2 (Spring Security).