Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-41242— CVE-2025-41242: Path traversal vulnerability on non-compliant Servlet containers

CVSS 5.9 · Medium EPSS 6.59% · P91
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-41242

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
CVE-2025-41242: Path traversal vulnerability on non-compliant Servlet containers
Source: NVD (National Vulnerability Database)
Vulnerability Description
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization * the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with Spring resource handling We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
VMware Spring Framework 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
VMware Spring Framework是美国威睿(VMware)公司的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 VMware Spring Framework存在安全漏洞,该漏洞源于非合规Servlet容器上的路径遍历漏洞,可能导致未授权访问。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
VMwareSpring Framework 6.2.x ~ 6.2.10 -

II. Public POCs for CVE-2025-41242

#POC DescriptionSource LinkShenlong Link
1https://github.com/vulhub/vulhub/blob/master/spring/CVE-2025-41242/README.mdPOC Details
2Spring Framework MVC applications deployed as WAR or with embedded Servlet containers that do not reject suspicious URI sequences and serve static resources with Spring resource handling contain a path traversal vulnerability, letting attackers access unauthorized files, exploit requires non-compliant Servlet container configuration. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-41242.yamlPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-41242

登录查看更多情报信息。

IV. Related Vulnerabilities

Same product: Spring Framework
Same vendor: VMware

V. Comments for CVE-2025-41242

No comments yet

Leave a comment