Relative Path Traversal Affecting org.springframework:spring-beans package, versions [,6.2.10)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Relative Path Traversal vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGSPRINGFRAMEWORK-12008931
- published19 Aug 2025
- disclosed14 Aug 2025
- credit1ue, iSafeBlue, Joakim Erdfelt
Introduced: 14 Aug 2025
NewCVE-2025-41242 (opens in a new tab)How to fix?
Upgrade org.springframework:spring-beans to version 6.2.10 or higher.
Overview
org.springframework:spring-beans is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.
Affected versions of this package are vulnerable to Relative Path Traversal when deployed on non-compliant Servlet containers. An unauthenticated attacker could gain access to files and directories outside the intended web root.
Notes:
This is only exploitable if the application is deployed as a WAR or with an embedded Servlet container, the Servlet container does not reject suspicious sequences and the application serves static resources with Spring resource handling.
Applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration.
This vulnerability was also fixed in the commercial versions 6.1.22 and 5.3.44.