6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-41234

CVE-2025-41234: Spring Framework vulnerable to a reflected file download (RFD)

Description

In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.

Specifically, an application is vulnerable when all the following are true:

The header is prepared with org.springframework.http.ContentDisposition.
The filename is set via ContentDisposition.Builder#filename(String, Charset).
The value for the filename is derived from user-supplied input.
The application does not sanitize the user-supplied input.
The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).

An application is not vulnerable if any of the following is true:

The application does not set a “Content-Disposition” response header.
The header is not prepared with org.springframework.http.ContentDisposition.
The filename is set via one of:
- ContentDisposition.Builder#filename(String), or
- ContentDisposition.Builder#filename(String, ASCII)
The filename is not derived from user-supplied input.
The filename is derived from user-supplied input but sanitized by the application.
The attacker cannot inject malicious content in the downloaded content of the response.

Affected Spring Products and VersionsSpring Framework

6.2.0 - 6.2.7
6.1.0 - 6.1.20
6.0.5 - 6.0.28
Older, unsupported versions are not affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

| Affected version(s) | Fix version | Availability | | - | - | - | | 6.2.x | 6.2.8 | OSS | | 6.1.x | 6.1.21 | OSS | | 6.0.x | 6.0.29 | Commercial |

No further mitigation steps are necessary.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-41234

CVE-2025-41234:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.springframework:spring-web	maven	>= 6.2.0, < 6.2.8	6.2.8
org.springframework:spring-web	maven	>= 6.1.0, < 6.1.21	6.1.21
org.springframework:spring-web	maven	>= 6.0.5, <= 6.0.23

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The Reflected File Download (RFD) vulnerability in Spring Framework (CVE-2025-41234) occurs when an application constructs a Content-Disposition header where the filename is derived from user input and a non-ASCII charset is used.

The root cause lies in the improper encoding of certain characters, particularly double quotes ("), in the filename attribute of the header.

Two key functions are involved in this vulnerability:

org.springframework.http.ContentDisposition$Builder.filename(String filename, java.nio.charset.Charset charset): This is the method applications use to set the filename and specify a non-ASCII charset. It acts as the entry point for the user-supplied, potentially malicious filename. If an attacker can control this input, they can introduce characters that, if not properly encoded, can manipulate the browser's interpretation of the downloaded file's name and type.
org.springframework.http.ContentDisposition.appendTo(java.lang.StringBuilder) (and helper methods called during serialization, e.g., via toString()): This method is responsible for serializing the ContentDisposition object's state, including the filename, into the final HTTP header string. Internally, it relies on a BitSet called PRINTABLE to determine which characters need to be percent-encoded. Before the patch, the PRINTABLE set incorrectly considered double quotes as safe (printable) in the context of filename* encoding with non-ASCII charsets. This meant that if a filename like "setup.bat was provided via the builder with a UTF-8 charset, the quotes might not be encoded in the filename* part of the header, leading to the RFD.

The patch (f0e7b42704e6b33958f242d91bd690d6ef7ada9c) addresses the vulnerability by modifying the static initializer of the ContentDisposition class to explicitly mark the double quote character (", ASCII 34) as non-printable (PRINTABLE.set(34, false);). This ensures that during the serialization process performed by appendTo (and its callees), double quotes in filenames are correctly encoded, preventing the RFD attack vector.

Therefore, an exploit would involve an application calling ContentDisposition.Builder.filename() with attacker-controlled input and a non-ASCII charset. Subsequently, when Spring Framework serializes this ContentDisposition object to a header (triggering appendTo/toString()), the vulnerability would manifest if the older, unpatched code was used.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-41234: Spring Framework vulnerable to a reflected file download (RFD)

Description

Affected Spring Products and VersionsSpring Framework

Mitigation

CVE-2025-41234:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-41234: Spring Framework vulnerable to a reflected file download (RFD)

Description

Affected Spring Products and VersionsSpring Framework

Mitigation

Basic Information

Basic Information

6.5

6.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI