CVE-2025-41234

Name of the Vulnerable Software and Affected Versions Spring Framework versions 6.0.5 through 6.0.28 Spring Framework versions 6.1.0 through 6.1.20 Spring Framework versions 6.2.0 through 6.2.7

Description The issue allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in ContentDisposition.Builder#filename(String, Charset) with non-ASCII charsets. This occurs when the Content-Disposition header is prepared with org.springframework.http.ContentDisposition and the filename attribute is derived from user-supplied input. The application is not vulnerable if it does not set a Content-Disposition response header, the header is not prepared with org.springframework.http.ContentDisposition, or the filename is sanitized by the application.

Recommendations For Spring Framework versions 6.0.x, upgrade to version 6.0.29. For Spring Framework versions 6.1.x, upgrade to version 6.1.21. For Spring Framework versions 6.2.x, upgrade to version 6.2.8. As a temporary workaround, consider sanitizing user-supplied input for the filename attribute in the Content-Disposition header.