
The Spring project has released a security advisory disclosing a vulnerability in the popular Spring Framework, which could allow attackers to launch Reflected File Download (RFD) attacks under certain conditions. Tracked as CVE-2025-41234 and rated CVSS 6.5 (Medium), the flaw impacts Spring Framework versions across the 6.0, 6.1, and 6.2 branches.
“An application is vulnerable to a reflected file download (RFD) attack when it sets a Content-Disposition header with a non-ASCII charset, where the filename attribute is derived from user-supplied input,” the advisory explains.
Reflected File Download (RFD) is a lesser-known but dangerous technique in which an attacker tricks a user’s browser into downloading a malicious file with a deceptive name and executable content, leveraging improperly set HTTP headers.
CVE-2025-41234 affects Spring Framework applications that meet all of the following criteria:
- Use org.springframework.http.ContentDisposition to prepare the Content-Disposition header.
- Set the filename using ContentDisposition.Builder#filename(String, Charset) with a non-ASCII charset.
- Derive the filename from unsanitized user input.
- Include malicious content in the downloaded response.
“The downloaded content of the response is injected with malicious commands by the attacker,” the advisory notes.
Your application is not vulnerable if:
- You do not set a
Content-Disposition
header at all. - You do not use the Spring
ContentDisposition
builder. - You use
filename(String)
orfilename(String, ASCII)
instead of the affected method. - You sanitize the filename before use.
- The attacker cannot inject malicious content into the downloaded response.
These safeguards effectively break the RFD attack chain.
The vulnerability impacts the following versions of the Spring Framework:
Affected Versions | Fixed Versions |
---|---|
6.2.0 – 6.2.7 | 6.2.8 |
6.1.0 – 6.1.20 | 6.1.21 |
6.0.5 – 6.0.28 | 6.0.29 (Commercial) |
“Older, unsupported versions are not affected,” according to the advisory.
Related Posts:
- Spring Framework Multiple Security Vulnerability
- Palo Alto Networks Warns of XSS Flaw with PoC Exploit Code
- Spring Framework Flaw Allows Unauthorized Access via Security Bypass
- Flaw in Ghostscript Could Allow Command Execution
- Mitel Issues Critical Fixes for XSS Vulnerabilities in MiContact Center Business