CVE-2025-41254
Description
STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.11 * 6.1.0 - 6.1.23 * 6.0.x - 6.0.29 * 5.3.0 - 5.3.45 * Older, unsupported versions are also affected.MitigationUsers of affected versions should upgrade to the corresponding fixed version.Affected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.
Risk Information
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.12.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.1.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 9.0.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 9.5.0.1 | Windows |
| Vulnerabilities CVE-2025-41254 are fixed in Spring - spring-websocket 6.2.12 | Windows |
| Vulnerabilities CVE-2025-41254 are affected in Spring - spring-websocket 6.1.21 | Windows |
| Vulnerabilities CVE-2025-41254 are fixed in Spring - spring-websocket for Linux 6.2.12 | Linux |
| Vulnerabilities CVE-2025-41254 are affected in Spring - spring-websocket for Linux 6.1.21 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234