Fluid Attacks Database

Description

Spring Framework STOMP over WebSocket applications may allow attackers to send unauthorized messages STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.

Affected Spring Products and Versions

Spring Framework:

6.2.0 - 6.2.11

6.1.0 - 6.1.23

6.0.x - 6.0.29

5.3.0 - 5.3.45

Older, unsupported versions are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)

Fix version	Availability
6.2.x	6.2.12 OSS
6.1.x	6.1.24 Commercial https://enterprise.spring.io/
6.0.x	N/A Out of support https://spring.io/projects/spring-framework#support
5.3.x	5.3.46 Commercial https://enterprise.spring.io/

No further mitigation steps are necessary.

CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libspring-java	=4.3.30-1 \|\| =4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
debian 12	libspring-java	=4.3.30-2 \|\| =4.3.30-3 \|\| =4.3.30-4	-
debian 13	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
debian 14	libspring-java	=4.3.30-3 \|\| =4.3.30-4	-
maven	org.springframework:spring-websocket	>=6.2.0 <6.2.12 \|\| >=6.1.0 <=6.1.21 \|\| >=6.0.0 <=6.0.23 \|\| >=0 <=5.3.39	6.2.12
rpm rhel8	log4j	-	-
rpm rhel9	log4j	-	-
rpm rhel8	resteasy	-	-
rpm rhel9	resteasy	-	-

Aliases

1. CVE-2025-412542. NVD-2025-412543. OSV-DEBIAN-2025-412544. OSV-2025-412545. GCVE-2025-412546. SECURITY-TRACKER-CVE-2025-41254

References

1. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N&version=3.12. https://spring.io/security/cve/2025-41254