Jakob Linskeseder

**Name of the Vulnerable Software and Affected Versions** Spring Framework versions 6.0.5 through 6.0.28 Spring Framework versions 6.1.0 through 6.1.20 Spring Framework versions 6.2.0 through 6.2.7 **Description** The issue allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets. This occurs when the `Content-Disposition` header is prepared with `org.springframework.http.ContentDisposition` and the filename attribute is derived from user-supplied input. The application is not vulnerable if it does not set a `Content-Disposition` response header, the header is not prepared with `org.springframework.http.ContentDisposition`, or the filename is sanitized by the application. **Recommendations** For Spring Framework versions 6.0.x, upgrade to version 6.0.29. For Spring Framework versions 6.1.x, upgrade to version 6.1.21. For Spring Framework versions 6.2.x, upgrade to version 6.2.8. As a temporary workaround, consider sanitizing user-supplied input for the filename attribute in the `Content-Disposition` header.