关键信息 CVE-2025-41234 Detail CVE Dictionary Entry: CVE-2025-41234 NVD Published Date: 06/12/2025 NVD Last Modified: 06/12/2025 Source: VMware Description Vulnerability: Reflected File Download (RFD) attack in Spring Framework versions 6.0.x as of 6.0.5, 6.1.x, and 6.2.x. Condition: Vulnerable when a "Content-Disposition" header with a non-ASCII charset is set, and the filename attribute is derived from user-supplied input. Impact: Malicious commands can be injected into the downloaded content by the attacker. Metrics CVSS Version 3.x Severity and Vector Strings: - Base Score: 6.3 MEDIUM - Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N References to Advisories, Solutions, and Tools Hyperlink: - https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N&version=3.1 - https://nvd.nist.gov/vuln/detail/CVE-2025-41234 - https://spring.io/security/cve-2025-41234 Weakness Enumeration CWE-ID: CWE-113 CWE Name: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') Change History Records Found: 1