Skip to content

Update dependency org.springframework:spring-web to v6.2.8 [SECURITY] (main) #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Update dependency org.springframework:spring-web to v6.2.8 [SECURITY] (main) #22

wants to merge 1 commit into from

Conversation

renovatebot-confluentinc[bot]
Copy link

For any questions/concerns about this PR, please review the Renovate Bot wiki/FAQs, or the #renovatebot Slack channel.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework:spring-web 6.2.5 -> 6.2.8 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Spring Framework vulnerable to a reflected file download (RFD)

CVE-2025-41234 / GHSA-6r3c-xf4w-jxjm

More information

Details

Description

In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.

Specifically, an application is vulnerable when all the following are true:

  • The header is prepared with org.springframework.http.ContentDisposition.
  • The filename is set via ContentDisposition.Builder#filename(String, Charset).
  • The value for the filename is derived from user-supplied input.
  • The application does not sanitize the user-supplied input.
  • The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).

An application is not vulnerable if any of the following is true:

  • The application does not set a “Content-Disposition” response header.
  • The header is not prepared with org.springframework.http.ContentDisposition.
  • The filename is set via one of:
    • ContentDisposition.Builder#filename(String), or
    • ContentDisposition.Builder#filename(String, ASCII)
  • The filename is not derived from user-supplied input.
  • The filename is derived from user-supplied input but sanitized by the application.
  • The attacker cannot inject malicious content in the downloaded content of the response.
Affected Spring Products and VersionsSpring Framework
  • 6.2.0 - 6.2.7
  • 6.1.0 - 6.1.20
  • 6.0.5 - 6.0.28
  • Older, unsupported versions are not affected
Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
6.2.x 6.2.8 OSS
6.1.x 6.1.21 OSS
6.0.x 6.0.29 Commercial

No further mitigation steps are necessary.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
renovatebot-cve
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants