Gabor Legrady

**Name of the Vulnerable Software and Affected Versions** Spring Framework versions 5.3.0 through 5.3.39 Spring Framework versions 6.0.0 through 6.0.23 Spring Framework versions 6.0.24 through 6.1.12 Spring Framework versions 6.1.13 and earlier **Description** The vulnerability is related to path traversal attacks in the functional web frameworks WebMvc.fn and WebFlux.fn of the Spring Framework. An attacker can craft malicious HTTP requests to obtain any file on the file system that is also accessible to the process in which the Spring application is running. This can happen when the web application uses RouterFunctions to serve static resources and resource handling is explicitly configured with a FileSystemResource location. However, malicious requests are blocked and rejected when the Spring Security HTTP Firewall is in use or the application runs on Tomcat or Jetty. The issue potentially affects millions of Java applications worldwide. **Recommendations** For Spring Framework versions 5.3.0 through 5.3.39, upgrade to version 5.3.40 or later. For Spring Framework versions 6.0.0 through 6.0.23, upgrade to version 6.0.24 or later. For Spring Framework versions 6.0.24 through 6.1.12, upgrade to version 6.1.13 or later. For Spring Framework versions 6.1.13 and earlier, upgrade to a version later than 6.1.13. As a temporary workaround, consider disabling the use of RouterFunctions to serve static resources or restricting access to the vulnerable FileSystemResource locations until a patch is available.