Vulnerability Database
296,663
Total vulnerabilities in the database
CVE-2025-41254
STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.
Affected Spring Products and Versions
Spring Framework:
- 6.2.0 - 6.2.11
- 6.1.0 - 6.1.23
- 6.0.x - 6.0.29
- 5.3.0 - 5.3.45
- Older, unsupported versions are also affected.
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)
Fix version | Availability -|- 6.2.x | 6.2.12 OSS 6.1.x | 6.1.24 Commercial https://enterprise.spring.io/ 6.0.x | N/A Out of support https://spring.io/projects/spring-framework#support 5.3.x | 5.3.46 Commercial https://enterprise.spring.io/
No further mitigation steps are necessary.
CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.
| Software | From | Fixed in |
|---|---|---|
org.springframework / spring-websocket
|
6.2.0 | 6.2.12 |
|
org.springframework / spring-websocket
|
6.1.0 | 6.1.21.x |
|
org.springframework / spring-websocket
|
6.0.0 | 6.0.23.x |
|
org.springframework / spring-websocket
|
- | 5.3.39.x |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime