Vulnerability Database

319,561

Total vulnerabilities in the database

CVE-2025-41254

STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.

Affected Spring Products and VersionsSpring Framework:

6.2.0 - 6.2.11
6.1.0 - 6.1.23
6.0.x - 6.0.29
5.3.0 - 5.3.45
Older, unsupported versions are also affected.

MitigationUsers of affected versions should upgrade to the corresponding fixed version.

Affected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.

CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.

Published: Oct 16, 2025
Updated: Jan 19, 2026
CVE: CVE-2025-41254
GHSA: GHSA-7fch-4f2f-jcgm
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWEs:

CWE-352

Affected Software
References

Software	From	Fixed in
org.springframework / spring-websocket	6.2.0	6.2.12
org.springframework / spring-websocket	6.1.0	6.1.21.x
org.springframework / spring-websocket	6.0.0	6.0.23.x
org.springframework / spring-websocket	-	5.3.39.x

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo