CVE-2025-41234: Spring Framework Vulnerability Enables Reflected File Download Attacks
Ddos 
The Spring project has released a security advisory disclosing a vulnerability in the popular Spring Framework, which could allow attackers to launch Reflected File Download (RFD) attacks under certain conditions. Tracked as CVE-2025-41234 and rated CVSS 6.5 (Medium), the flaw impacts Spring Framework versions across the 6.0, 6.1, and 6.2 branches.
βAn application is vulnerable to a reflected file download (RFD) attack when it sets a Content-Disposition header with a non-ASCII charset, where the filename attribute is derived from user-supplied input,β the advisory explains.
Reflected File Download (RFD) is a lesser-known but dangerous technique in which an attacker tricks a userβs browser into downloading a malicious file with a deceptive name and executable content, leveraging improperly set HTTP headers.
CVE-2025-41234 affects Spring Framework applications that meet all of the following criteria:
- Use org.springframework.http.ContentDisposition to prepare the Content-Disposition header.
- Set the filename using ContentDisposition.Builder#filename(String, Charset) with a non-ASCII charset.
- Derive the filename from unsanitized user input.
- Include malicious content in the downloaded response.
βThe downloaded content of the response is injected with malicious commands by the attacker,β the advisory notes.
Your application is not vulnerable if:
- You do not set a
Content-Dispositionheader at all. - You do not use the Spring
ContentDispositionbuilder. - You use
filename(String)orfilename(String, ASCII)instead of the affected method. - You sanitize the filename before use.
- The attacker cannot inject malicious content into the downloaded response.
These safeguards effectively break the RFD attack chain.
The vulnerability impacts the following versions of the Spring Framework:
| Affected Versions | Fixed Versions |
|---|---|
| 6.2.0 β 6.2.7 | 6.2.8 |
| 6.1.0 β 6.1.20 | 6.1.21 |
| 6.0.5 β 6.0.28 | 6.0.29 (Commercial) |
βOlder, unsupported versions are not affected,β according to the advisory.
Related Posts:
- Spring Framework Multiple Security Vulnerability
- Palo Alto Networks Warns of XSS Flaw with PoC Exploit Code
- Spring Framework Flaw Allows Unauthorized Access via Security Bypass
- Flaw in Ghostscript Could Allow Command Execution
- Mitel Issues Critical Fixes for XSS Vulnerabilities in MiContact Center Business
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
