Bug 2389113 (CVE-2025-41242)

Summary: CVE-2025-41242 org.springframework/spring-webmvc: Spring Framework MVC path traversal vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abrianik, aschwart, asoldano, ataylor, bbaranow, bmaxwell, boliveir, brian.stansberry, darran.lofthouse, dbruscin, dhanak, dkreling, dosoudil, drosa, fjuma, fmariani, ggrzybek, gmalinko, gtanzill, ibek, istudens, ivassile, iweiss, janstey, jbuscemi, jpoth, jrokos, kaycoth, kvanderr, kverlaen, mnovotny, mosmerov, mposolda, msochure, msvehla, nwallace, parichar, pbizzarr, pdelbell, pesilva, pjindal, pmackay, rstancel, rstepani, sausingh, sdawley, smaestri, ssilvert, sthorger, tasato, tcunning, tom.jenkinson, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A path traversal flaw was found in the Spring Framework MVC, affecting applications built on this framework. This flaw only affects applications that are deployed as a WAR or with an embedded Servlet container, which do not reject suspicious sequences and serve static resources with Spring resource handling. See the Jakarta servlet documentation in the References section for more information.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2389237, 2389236    
Bug Blocks:    

Description OSIDB Bzimport 2025-08-18 09:01:14 UTC 
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.

An application can be vulnerable when all the following are true:

  *  the application is deployed as a WAR or with an embedded Servlet container
  *  the Servlet container  does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization 
  *  the application  serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with Spring resource handling


We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.