CVE-2025-41254

描述

STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. ### Affected Spring Products and Versions Spring Framework: * 6.2.0 - 6.2.11 * 6.1.0 - 6.1.23 * 6.0.x - 6.0.29 * 5.3.0 - 5.3.45 * Older, unsupported versions are also affected. ### Mitigation Users of affected versions should upgrade to the corresponding fixed version. ### Affected version(s) Fix version | Availability -|- 6.2.x | 6.2.12 OSS 6.1.x | 6.1.24 Commercial https://enterprise.spring.io/ 6.0.x | N/A Out of support https://spring.io/projects/spring-framework#support 5.3.x | 5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.

如何修補 CVE-2025-41254

要修補 CVE-2025-41254,請將受影響套件升級到下列已修補版本。

• —未列出修補版本
• —升級至 6.2.12 或更新版本

CVE-2025-41254 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(2)

• from 0
• >= 6.2.0, < 6.2.12

CVSS 分數

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-41254
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-41254
• PATCHgithub.com/spring-projects/spring-framework
• WEBnvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N&version=3.1