CVE-2025-41234: CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in VMware Spring Framework
Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input. Specifically, an application is vulnerable when all the following are true: * The header is prepared with org.springframework.http.ContentDisposition. * The filename is set via ContentDisposition.Builder#filename(String, Charset). * The value for the filename is derived from user-supplied input. * The application does not sanitize the user-supplied input. * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details). An application is not vulnerable if any of the following is true: * The application does not set a “Content-Disposition” response header. * The header is not prepared with org.springframework.http.ContentDisposition. * The filename is set via one of: * ContentDisposition.Builder#filename(String), or * ContentDisposition.Builder#filename(String, ASCII) * The filename is not derived from user-supplied input. * The filename is derived from user-supplied input but sanitized by the application. * The attacker cannot inject malicious content in the downloaded content of the response. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.7 * 6.1.0 - 6.1.20 * 6.0.5 - 6.0.28 * Older, unsupported versions are not affected MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.
AI Analysis
Technical Summary
CVE-2025-41234 is a vulnerability classified under CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers), specifically affecting the VMware Spring Framework versions 6.0.5 through 6.2.7. The issue arises when an application uses the Spring Framework's org.springframework.http.ContentDisposition class to set the HTTP "Content-Disposition" header with a filename parameter derived from unsanitized user input and encoded with a non-ASCII charset. This improper handling allows an attacker to perform a Reflected File Download (RFD) attack, a variant of HTTP response splitting. In this attack, malicious CRLF sequences injected into the filename can manipulate the HTTP response headers and body, causing the victim's browser to download and execute a malicious file crafted by the attacker. The vulnerability requires that the filename is set using ContentDisposition.Builder#filename(String, Charset) with a non-ASCII charset, and that the filename is directly derived from user input without sanitization. Applications that do not set the Content-Disposition header, use ASCII charset or the filename(String) method, sanitize input, or do not allow injection of malicious content in the response are not vulnerable. The vulnerability impacts confidentiality severely, as it can lead to the execution of attacker-controlled files in the context of the victim's browser, potentially leading to credential theft or session hijacking. Integrity is moderately impacted due to the possibility of injecting malicious content, while availability is not affected. The CVSS 3.1 base score is 6.5 (medium severity), reflecting network attack vector, high attack complexity, low privileges required, user interaction required, and a scope change with high confidentiality impact and low integrity impact. No known exploits are currently reported in the wild. Fixed versions are available: 6.2.8, 6.1.21, and 6.0.29, with users advised to upgrade accordingly. No additional mitigations beyond upgrading are specified by the vendor.
Potential Impact
For European organizations, the impact of CVE-2025-41234 can be significant, especially for those relying on the affected Spring Framework versions in web applications that handle file downloads with user-supplied filenames. Successful exploitation could lead to the execution of malicious files on client machines, resulting in credential compromise, data theft, or further malware infection. This is particularly critical for sectors with sensitive data such as finance, healthcare, and government services. Since the attack requires user interaction (e.g., clicking a malicious link), phishing campaigns could leverage this vulnerability to increase their effectiveness. The medium CVSS score reflects that while the attack complexity is high, the potential confidentiality breach is severe. The vulnerability could undermine trust in web applications and lead to regulatory consequences under GDPR if personal data is compromised. Additionally, the scope change indicates that the vulnerability affects components beyond the immediate application, potentially impacting integrated systems. However, the lack of known exploits in the wild suggests that immediate widespread impact is limited but should not be underestimated given the critical nature of the flaw.
Mitigation Recommendations
1. Upgrade all affected Spring Framework instances to the fixed versions: 6.2.8, 6.1.21, or 6.0.29 as applicable. This is the primary and most effective mitigation. 2. Review application code to ensure that the Content-Disposition header is not set using ContentDisposition.Builder#filename(String, Charset) with non-ASCII charsets on unsanitized user input. 3. Implement strict input validation and sanitization on any user-supplied data used in HTTP headers, especially filenames, to remove CRLF characters and other control sequences. 4. Where possible, restrict the charset used in Content-Disposition headers to ASCII or use the filename(String) method variant that does not accept Charset parameters. 5. Employ Web Application Firewalls (WAFs) with rules to detect and block HTTP response splitting attempts or suspicious CRLF injection patterns in headers. 6. Conduct security code reviews and penetration testing focused on HTTP header injection vulnerabilities. 7. Educate developers about secure handling of HTTP headers and the risks of reflected file download attacks. 8. Monitor web application logs for unusual header manipulations or unexpected Content-Disposition values that could indicate exploitation attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2025-41234: CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') in VMware Spring Framework
Description
Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input. Specifically, an application is vulnerable when all the following are true: * The header is prepared with org.springframework.http.ContentDisposition. * The filename is set via ContentDisposition.Builder#filename(String, Charset). * The value for the filename is derived from user-supplied input. * The application does not sanitize the user-supplied input. * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details). An application is not vulnerable if any of the following is true: * The application does not set a “Content-Disposition” response header. * The header is not prepared with org.springframework.http.ContentDisposition. * The filename is set via one of: * ContentDisposition.Builder#filename(String), or * ContentDisposition.Builder#filename(String, ASCII) * The filename is not derived from user-supplied input. * The filename is derived from user-supplied input but sanitized by the application. * The attacker cannot inject malicious content in the downloaded content of the response. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.7 * 6.1.0 - 6.1.20 * 6.0.5 - 6.0.28 * Older, unsupported versions are not affected MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.
AI-Powered Analysis
Technical Analysis
CVE-2025-41234 is a vulnerability classified under CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers), specifically affecting the VMware Spring Framework versions 6.0.5 through 6.2.7. The issue arises when an application uses the Spring Framework's org.springframework.http.ContentDisposition class to set the HTTP "Content-Disposition" header with a filename parameter derived from unsanitized user input and encoded with a non-ASCII charset. This improper handling allows an attacker to perform a Reflected File Download (RFD) attack, a variant of HTTP response splitting. In this attack, malicious CRLF sequences injected into the filename can manipulate the HTTP response headers and body, causing the victim's browser to download and execute a malicious file crafted by the attacker. The vulnerability requires that the filename is set using ContentDisposition.Builder#filename(String, Charset) with a non-ASCII charset, and that the filename is directly derived from user input without sanitization. Applications that do not set the Content-Disposition header, use ASCII charset or the filename(String) method, sanitize input, or do not allow injection of malicious content in the response are not vulnerable. The vulnerability impacts confidentiality severely, as it can lead to the execution of attacker-controlled files in the context of the victim's browser, potentially leading to credential theft or session hijacking. Integrity is moderately impacted due to the possibility of injecting malicious content, while availability is not affected. The CVSS 3.1 base score is 6.5 (medium severity), reflecting network attack vector, high attack complexity, low privileges required, user interaction required, and a scope change with high confidentiality impact and low integrity impact. No known exploits are currently reported in the wild. Fixed versions are available: 6.2.8, 6.1.21, and 6.0.29, with users advised to upgrade accordingly. No additional mitigations beyond upgrading are specified by the vendor.
Potential Impact
For European organizations, the impact of CVE-2025-41234 can be significant, especially for those relying on the affected Spring Framework versions in web applications that handle file downloads with user-supplied filenames. Successful exploitation could lead to the execution of malicious files on client machines, resulting in credential compromise, data theft, or further malware infection. This is particularly critical for sectors with sensitive data such as finance, healthcare, and government services. Since the attack requires user interaction (e.g., clicking a malicious link), phishing campaigns could leverage this vulnerability to increase their effectiveness. The medium CVSS score reflects that while the attack complexity is high, the potential confidentiality breach is severe. The vulnerability could undermine trust in web applications and lead to regulatory consequences under GDPR if personal data is compromised. Additionally, the scope change indicates that the vulnerability affects components beyond the immediate application, potentially impacting integrated systems. However, the lack of known exploits in the wild suggests that immediate widespread impact is limited but should not be underestimated given the critical nature of the flaw.
Mitigation Recommendations
1. Upgrade all affected Spring Framework instances to the fixed versions: 6.2.8, 6.1.21, or 6.0.29 as applicable. This is the primary and most effective mitigation. 2. Review application code to ensure that the Content-Disposition header is not set using ContentDisposition.Builder#filename(String, Charset) with non-ASCII charsets on unsanitized user input. 3. Implement strict input validation and sanitization on any user-supplied data used in HTTP headers, especially filenames, to remove CRLF characters and other control sequences. 4. Where possible, restrict the charset used in Content-Disposition headers to ASCII or use the filename(String) method variant that does not accept Charset parameters. 5. Employ Web Application Firewalls (WAFs) with rules to detect and block HTTP response splitting attempts or suspicious CRLF injection patterns in headers. 6. Conduct security code reviews and penetration testing focused on HTTP header injection vulnerabilities. 7. Educate developers about secure handling of HTTP headers and the risks of reflected file download attacks. 8. Monitor web application logs for unusual header manipulations or unexpected Content-Disposition values that could indicate exploitation attempts.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- vmware
- Date Reserved
- 2025-04-16T09:29:46.972Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 684b454f358c65714e6b0221
Added to database: 6/12/2025, 9:23:27 PM
Last enriched: 6/12/2025, 9:39:00 PM
Last updated: 8/8/2025, 12:06:48 PM
Views: 13
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.