MEDIUM 5.9

CVE-2026-41843: Spring Framework Path Traversal in Static Resource Resolution

Spring Framework applications that serve static resources through MVC or WebFlux are vulnerable to path traversal attacks. An attacker can craft malicious requests to access files outside the intended static resource directory, potentially reading sensitive configuration files, source code, or other protected assets. This vulnerability affects multiple recent versions of Spring Framework across all actively maintained branches.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-22
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-27

NVD description (verbatim)

Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in Spring Framework's static resource resolution logic for both MVC and WebFlux applications. When processing requests for static resources, the framework fails to adequately validate and sanitize path components, allowing directory traversal sequences (such as ../ patterns) to escape the configured resource base directory. The attack vector is network-based with no authentication required, though successful exploitation requires crafted request construction. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). Affected versions include Spring Framework 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48.

Business impact

Applications using Spring Framework to host static resources face confidentiality risks. Unauthorized file disclosure could expose proprietary source code, configuration details containing credentials or API endpoints, build artifacts, or environment-specific metadata. The impact is limited to information disclosure—there is no direct integrity or availability impact from the vulnerability itself. Organizations relying on Spring-based web applications should assess whether static resources are exposed to untrusted networks and whether sensitive files could be reached through traversal.

Affected systems

VMware Spring Framework versions 5.3.0–5.3.48, 6.1.0–6.1.27, 6.2.0–6.2.18, and 7.0.0–7.0.7 are affected. Both Spring MVC and Spring WebFlux applications that serve static resources are in scope. Applications using alternative frameworks, those not serving user-accessible static content, or those behind path-filtering proxies may face reduced risk depending on configuration.

Exploitability

The vulnerability requires network access and the ability to craft HTTP requests; no authentication is necessary. However, the CVSS vector (AC:H) indicates relatively high attack complexity, suggesting that exploitation is not trivial—specific knowledge of application structure, static resource paths, or file system layout may be required to successfully extract meaningful information. Public exploit code or widespread active exploitation has not been confirmed as of the published date.

Remediation

Upgrade to patched versions of Spring Framework. Verify exact version numbers against the official VMware Spring Framework security advisory to confirm the minimum safe release for each branch (5.3.x, 6.1.x, 6.2.x, 7.0.x). As an interim mitigation, deploy a reverse proxy or WAF rule that blocks path traversal patterns (../, ..\, percent-encoded variants) in requests to static resource endpoints, though this is not a complete substitute for patching.

Patch guidance

Check the VMware Spring Framework advisory page for the exact patched versions available for each affected branch. Organizations should prioritize upgrading applications running 7.x versions first, followed by 6.2.x, then older versions. Test patches in a non-production environment to ensure compatibility with application-specific resource serving configurations. Verify that the upgrade does not disrupt legitimate static resource access.

Detection guidance

Monitor web server and application logs for requests containing path traversal patterns targeting static resource paths (e.g., /static/../../../etc/passwd or URL-encoded equivalents). Check for unusual file system access patterns originating from the Spring application process. Network-based detection can flag HTTP requests with suspicious query strings or path components in static resource requests. Post-remediation, baseline legitimate static resource request patterns to establish normal behavior.

Why prioritize this

While the CVSS score of 5.9 places this in the Medium category, prioritization depends on exposure. Applications that serve static resources to untrusted networks should patch sooner; internal-only or air-gapped deployments face lower risk. The confidentiality impact is notable if sensitive files are reachable, but lack of public KEV listing suggests limited widespread active exploitation. Prioritize based on network exposure and presence of sensitive files in or near static resource directories.

Risk score, explained

The CVSS 3.1 score of 5.9 (Medium) reflects a confidentiality impact (High) offset by high attack complexity and no authentication requirement (Network, No Auth). The vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N indicates the attacker must overcome significant hurdles to exploit the flaw successfully, likely requiring knowledge of target architecture or file system structure. The lack of integrity or availability impact further reduces severity despite the confidentiality risk.

Frequently asked questions

Which Spring Framework versions are unaffected?

Spring Framework versions prior to 5.3.0 and any version later than 7.0.7 within each supported branch are not listed as affected. Verify the exact patched versions in the VMware advisory for your branch. Spring Boot users should check which Framework version their Boot release depends on.

Do I need to change my application code, or is upgrading the framework sufficient?

Upgrading Spring Framework should be sufficient; the fix is in the framework's static resource resolution logic. Verify your application's static resource configuration matches documented patterns, but code changes are typically not required.

Are there any known public exploits for this vulnerability?

As of the published date, the vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, and widespread public exploit code has not been reported. However, organizations should not assume indefinite safety—exploit development is possible once patches are available.

If I serve static resources through a CDN instead of directly from the Spring application, am I protected?

Yes, applications that do not serve static resources directly from the Spring application (for example, through a CDN, separate static file server, or disabled static resource handling) are not affected by this vulnerability.

This analysis is provided for informational purposes and should not be construed as legal, compliance, or definitive security advice. Organizations must verify all patch version numbers and compatibility against official VMware Spring Framework advisories and their own testing. Exploit code, weaponized proof-of-concepts, and detailed attack steps are not provided in this document. Risk assessment should account for your specific application architecture, network exposure, and data sensitivity. Consult with your security team and test thoroughly before applying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).