CVE Tools
Sign in

CVE-2025-41234

RFD Attack via “Content-Disposition” Header Sourced from Request

Published: Jun 12, 2025Updated: Jun 16, 2025 Sources: CVE List NVD GHSA BDUCWE-113
NVD MITRE
6.5CVSSMEDIUM
EPSS Score
0.5%
Top 60.0%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input. Specifically, an application is vulnerable when all the following are true: * The header is prepared with org.springframework.http.ContentDisposition. * The filename is set via ContentDisposition.Builder#filename(String, Charset). * The value for the filename is derived from user-supplied input. * The application does not sanitize the user-supplied input. * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details). An application is not vulnerable if any of the following is true: * The application does not set a “Content-Disposition” response header. * The header is not prepared with org.springframework.http.ContentDisposition. * The filename is set via one of: * ContentDisposition.Builder#filename(String), or * ContentDisposition.Builder#filename(String, ASCII) * The filename is not derived from user-supplied input. * The filename is derived from user-supplied input but sanitized by the application. * The attacker cannot inject malicious content in the downloaded content of the response. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.7 * 6.1.0 - 6.1.20 * 6.0.5 - 6.0.28 * Older, unsupported versions are not affected MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.

CVSS Vector Breakdown

AV:NAC:HPR:LUI:RS:CC:HI:LA:N
Exploitability
AV:NAttack Vector
Network
AC:HAttack Complexity
High
PR:LPrivileges Required
Low
UI:RUser Interaction
Required
Scope
S:CScope
Changed
Impact
C:HConfidentiality
High
I:LIntegrity
Low
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-113

Affected Products

Spring FrameworkVMware
LibraryLibrary
OSS Libraries / generic-library
Spring FrameworkBroadcom Inc.
Mixed
Cloud & SaaS / virtualization
org.springframework:spring-webMavenOSS Libraries
vmwarecommercialUSCloud & SaaSaka vmware inc
broadcom inc.commercialUSCloud & SaaSaka vmware by broadcom
mavenpackage-ecosystemOSS Libraries

Exploitability

Official Patch Available

References

https://spring.io/security/cve-2025-41234
spring.io
https://nvd.nist.gov/vuln/detail/CVE-2025-41234
nvd.nist.gov
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N&version=3.1
nvd.nist.gov
and 3 more references View all →

Timeline

Published
Jun 12, 2025
Last Updated
Jun 16, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-41234 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows