PT-2025-33358 · Eclipse+3 · Eclipse Jetty+3

1Ue

Published

2025-04-16

Updated

2026-04-30

CVE-2025-41242

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Spring Framework MVC applications (affected versions not specified)

Description: Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. This issue occurs when the application is deployed as a WAR or with an embedded Servlet container, the Servlet container does not reject suspicious sequences, and the application serves static resources with Spring resource handling. Applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, assuming default security features are not disabled.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

BDU:2025-10259

CVE-2025-41242

GHSA-R936-GWX5-V52F

Affected Products

Apache Tomcat

Debian

Eclipse Jetty

Spring Framework

PT-2025-33358 · Eclipse+3 · Eclipse Jetty+3

CVE-2025-41242

Weakness Enumeration

Related Identifiers

Affected Products

References · 22