Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2026-AVI-0029
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans VMware Tanzu Gemfire. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une injection de requêtes illégitimes par rebond (CSRF) et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| VMware | Tanzu Gemfire | Tanzu GemFire versions antérieures à 10.1.6 | ||
| VMware | Tanzu Gemfire | Tanzu GemFire versions antérieures à 10.2.1 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Tanzu GemFire versions ant\u00e9rieures \u00e0 10.1.6",
"product": {
"name": "Tanzu Gemfire",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu GemFire versions ant\u00e9rieures \u00e0 10.2.1",
"product": {
"name": "Tanzu Gemfire",
"vendor": {
"name": "VMware",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-22233",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22233"
},
{
"name": "CVE-2025-67735",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67735"
},
{
"name": "CVE-2025-41254",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-41254"
},
{
"name": "CVE-2025-59419",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59419"
}
],
"initial_release_date": "2026-01-13T00:00:00",
"last_revision_date": "2026-01-13T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0029",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-13T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans VMware Tanzu Gemfire. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF) et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans VMware Tanzu Gemfire",
"vendor_advisories": [
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36759",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36759"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 36758",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36758"
}
]
}
CVE-2025-67735 (GCVE-0-2025-67735)
Vulnerability from cvelistv5
Published
2025-12-16 00:19
Modified
2025-12-16 14:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Summary
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67735",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T14:26:21.658602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T14:26:48.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.8.Final"
},
{
"status": "affected",
"version": "\u003c 4.1.129.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T00:19:11.287Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4"
}
],
"source": {
"advisory": "GHSA-84h7-rjj3-6jx4",
"discovery": "UNKNOWN"
},
"title": "Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67735",
"datePublished": "2025-12-16T00:19:11.287Z",
"dateReserved": "2025-12-11T00:45:45.790Z",
"dateUpdated": "2025-12-16T14:26:48.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22233 (GCVE-0-2025-22233)
Vulnerability from cvelistv5
Published
2025-05-16 19:14
Modified
2025-05-17 02:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:
* 6.2.0 - 6.2.6
* 6.1.0 - 6.1.19
* 6.0.0 - 6.0.27
* 5.3.0 - 5.3.42
* Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix Version Availability 6.2.x
6.2.7
OSS6.1.x
6.1.20
OSS6.0.x
6.0.28
Commercial https://enterprise.spring.io/ 5.3.x
5.3.43
Commercial https://enterprise.spring.io/
No further mitigation steps are necessary.
Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
Credit
This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring | Spring Framework |
Version: 6.2.0 Version: 6.1.0 Version: 6.0.0 Version: 5.3.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22233",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-17T02:36:53.736871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-17T02:37:03.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Spring Framework",
"vendor": "Spring",
"versions": [
{
"lessThanOrEqual": "6.2.6",
"status": "affected",
"version": "6.2.0",
"versionType": "Framework"
},
{
"lessThanOrEqual": "6.1.19",
"status": "affected",
"version": "6.1.0",
"versionType": "Framework"
},
{
"lessThanOrEqual": "6.0.27",
"status": "affected",
"version": "6.0.0",
"versionType": "Enterprise Framework"
},
{
"lessThanOrEqual": "5.3.42",
"status": "affected",
"version": "5.3.0",
"versionType": "Enterprise Framework"
},
{
"status": "unaffected",
"version": "6.2.7",
"versionType": "Framework"
},
{
"status": "unaffected",
"version": "6.1.20",
"versionType": "Framework"
},
{
"status": "unaffected",
"version": "6.0.28",
"versionType": "Enterprise Framework"
},
{
"status": "unaffected",
"version": "5.3.43",
"versionType": "Entrprise Framework"
}
]
}
],
"datePublic": "2025-05-15T15:02:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eAffected Spring Products and Versions\u003c/b\u003e\u003cbr\u003e\u003cbr\u003eSpring Framework:\u003cbr\u003e\u003cul\u003e\u003cli\u003e6.2.0 - 6.2.6\u003cbr\u003e\u003c/li\u003e\u003cli\u003e6.1.0 - 6.1.19\u003cbr\u003e\u003c/li\u003e\u003cli\u003e6.0.0 - 6.0.27\u003cbr\u003e\u003c/li\u003e\u003cli\u003e5.3.0 - 5.3.42\u003c/li\u003e\u003cli\u003eOlder, unsupported versions are also affected\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cb\u003eMitigation\u003c/b\u003e\u003cbr\u003e\u003cbr\u003eUsers of affected versions should upgrade to the corresponding fixed version.\u003cbr\u003e\u003cbr\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eAffected version(s)\u003c/td\u003e\u003ctd\u003eFix Version\u0026nbsp;\u003c/td\u003e\u003ctd\u003eAvailability\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.2.x\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e 6.2.7\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.1.x\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e 6.1.20\u003cbr\u003e\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.0.x\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e 6.0.28\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\"\u003eCommercial\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.3.x\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e 5.3.43\u003cbr\u003e\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\"\u003eCommercial\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNo further mitigation steps are necessary.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eGenerally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.\u003cbr\u003e\u003cbr\u003eFor setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.\u003cbr\u003e\u003cbr\u003eCredit\u003cbr\u003e\u003cbr\u003eThis issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.\u003cbr\u003e"
}
],
"value": "CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.\n\nAffected Spring Products and Versions\n\nSpring Framework:\n * 6.2.0 - 6.2.6\n\n * 6.1.0 - 6.1.19\n\n * 6.0.0 - 6.0.27\n\n * 5.3.0 - 5.3.42\n * Older, unsupported versions are also affected\n\n\n\nMitigation\n\nUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix Version\u00a0Availability\u00a06.2.x\n 6.2.7\nOSS6.1.x\n 6.1.20\nOSS6.0.x\n 6.0.28\n Commercial https://enterprise.spring.io/ 5.3.x\n 5.3.43\n Commercial https://enterprise.spring.io/ \nNo further mitigation steps are necessary.\n\n\nGenerally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.\n\nFor setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.\n\nCredit\n\nThis issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation."
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137: Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T19:14:07.500Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N\u0026version=3.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spring Framework DataBinder Case Sensitive Match Exception",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22233",
"datePublished": "2025-05-16T19:14:07.500Z",
"dateReserved": "2025-01-02T04:29:59.191Z",
"dateUpdated": "2025-05-17T02:37:03.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41254 (GCVE-0-2025-41254)
Vulnerability from cvelistv5
Published
2025-10-16 14:48
Modified
2025-10-16 16:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.
Affected Spring Products and VersionsSpring Framework:
* 6.2.0 - 6.2.11
* 6.1.0 - 6.1.23
* 6.0.x - 6.0.29
* 5.3.0 - 5.3.45
* Older, unsupported versions are also affected.
MitigationUsers of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.
CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| VMware | Spring Framework |
Version: 5.3.x Version: 6.0.x Version: 6.1.x Version: 6.2.x |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T16:10:02.754596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T16:10:14.510Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Spring Framework",
"vendor": "VMware",
"versions": [
{
"status": "affected",
"version": "5.3.x"
},
{
"status": "affected",
"version": "6.0.x"
},
{
"status": "affected",
"version": "6.1.x"
},
{
"status": "affected",
"version": "6.2.x"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability was discovered and responsibly reported by Jannis Kaiser."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003eSTOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.\u003c/p\u003e\u003ch1\u003eAffected Spring Products and Versions\u003c/h1\u003e\u003cp\u003eSpring Framework:\u003c/p\u003e\u003cul\u003e\u003cli\u003e6.2.0 - 6.2.11\u003c/li\u003e\u003cli\u003e6.1.0 - 6.1.23\u003c/li\u003e\u003cli\u003e6.0.x - 6.0.29\u003c/li\u003e\u003cli\u003e5.3.0 - 5.3.45\u003c/li\u003e\u003cli\u003eOlder, unsupported versions are also affected.\u003c/li\u003e\u003c/ul\u003e\u003ch1\u003eMitigation\u003c/h1\u003e\u003cp\u003eUsers of affected versions should upgrade to the corresponding fixed version.\u003c/p\u003e\u003ctable\u003e\u003cthead\u003e\u003ctr\u003e\u003cth\u003eAffected version(s)\u003c/th\u003e\u003cth\u003eFix version\u003c/th\u003e\u003cth\u003eAvailability\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e6.2.x\u003c/td\u003e\u003ctd\u003e6.2.12\u003c/td\u003e\u003ctd\u003eOSS\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.1.x\u003c/td\u003e\u003ctd\u003e6.1.24\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\"\u003eCommercial\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e6.0.x\u003c/td\u003e\u003ctd\u003eN/A\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://spring.io/projects/spring-framework#support\"\u003eOut of support\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e5.3.x\u003c/td\u003e\u003ctd\u003e5.3.46\u003c/td\u003e\u003ctd\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://enterprise.spring.io/\"\u003eCommercial\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003cp\u003eNo further mitigation steps are necessary.\u003c/p\u003e\u003ch1\u003eCredit\u003c/h1\u003e\u003cp\u003eThis vulnerability was discovered and responsibly reported by Jannis Kaiser.\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.\n\nAffected Spring Products and VersionsSpring Framework:\n\n * 6.2.0 - 6.2.11\n * 6.1.0 - 6.1.23\n * 6.0.x - 6.0.29\n * 5.3.0 - 5.3.45\n * Older, unsupported versions are also affected.\n\n\nMitigationUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.\n\nCreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T14:54:08.677Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"name": "Official Advisory",
"url": "https://spring.io/security/cve/2025-41254"
},
{
"name": "CVSS Calculator",
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\u0026version=3.1"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUsers of affected versions should upgrade to fixed releases: 6.2.12 (OSS), 6.1.24 (Commercial), and 5.3.46 (Commercial). No further mitigation steps are necessary.\u003c/p\u003e"
}
],
"value": "Users of affected versions should upgrade to fixed releases: 6.2.12 (OSS), 6.1.24 (Commercial), and 5.3.46 (Commercial). No further mitigation steps are necessary."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2025-10-16T00:00:00.000Z",
"value": "Initial vulnerability report published"
}
],
"title": "Spring Framework STOMP CSRF Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-41254",
"datePublished": "2025-10-16T14:48:37.350Z",
"dateReserved": "2025-04-16T09:30:25.626Z",
"dateUpdated": "2025-10-16T16:10:14.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59419 (GCVE-0-2025-59419)
Vulnerability from cvelistv5
Published
2025-10-15 15:42
Modified
2025-10-17 19:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Summary
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters. The vulnerability exists in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string without sanitization. When methods such as SmtpRequests.rcpt(recipient) are called with a malicious string containing CRLF sequences, attackers can inject arbitrary SMTP commands. Because the injected commands are sent from the server's trusted IP address, resulting emails will likely pass SPF and DKIM authentication checks, making them appear legitimate. This allows remote attackers who can control SMTP command parameters (such as email recipients) to forge arbitrary emails from the trusted server, potentially impersonating executives and forging high-stakes corporate communications. This issue has been patched in versions 4.1.129.Final and 4.2.8.Final. No known workarounds exist.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59419",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T17:21:01.815752Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T17:21:14.724Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-10-17T19:44:00.417Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.depthfirst.com/post/our-ai-agent-found-a-netty-zero-day-that-bypasses-email-authentication-the-story-of-cve-2025-59419"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2.7.Final"
},
{
"status": "affected",
"version": "\u003e= 4.2.0.Alpha1, \u003c 4.1.128.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\\r) and Line Feed (\\n) characters in user-supplied parameters. The vulnerability exists in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string without sanitization. When methods such as SmtpRequests.rcpt(recipient) are called with a malicious string containing CRLF sequences, attackers can inject arbitrary SMTP commands. Because the injected commands are sent from the server\u0027s trusted IP address, resulting emails will likely pass SPF and DKIM authentication checks, making them appear legitimate. This allows remote attackers who can control SMTP command parameters (such as email recipients) to forge arbitrary emails from the trusted server, potentially impersonating executives and forging high-stakes corporate communications. This issue has been patched in versions 4.1.129.Final and 4.2.8.Final. No known workarounds exist."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T15:42:30.922Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86"
},
{
"name": "https://github.com/netty/netty/commit/1782e8c2060a244c4d4e6f9d9112d5517ca05120",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/commit/1782e8c2060a244c4d4e6f9d9112d5517ca05120"
}
],
"source": {
"advisory": "GHSA-jq43-27x9-3v86",
"discovery": "UNKNOWN"
},
"title": "Netty netty-codec-smtp SMTP Command Injection Vulnerability Allowing Email Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59419",
"datePublished": "2025-10-15T15:42:30.922Z",
"dateReserved": "2025-09-15T19:13:16.904Z",
"dateUpdated": "2025-10-17T19:44:00.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…