spring-boot-starter-web-3.5.3.jar: 6 vulnerabilities (highest severity is: 9.6) #29
Description
Vulnerable Library - spring-boot-starter-web-3.5.3.jar
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.2.8/a98cbaba4b55b4fee2d752041130e2e0f7014b27/spring-webmvc-6.2.8.jar
Found in HEAD commit: 2f1a9a9570f4eb6dd31214d496a58b9a9f7e7718
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (spring-boot-starter-web version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-55754 |  Critical |
9.6 | tomcat-embed-core-10.1.42.jar | Transitive | 3.5.6 | ❌ |
| CVE-2025-55752 |  High |
7.5 | tomcat-embed-core-10.1.42.jar | Transitive | 3.5.6 | ❌ |
| CVE-2025-48989 | High |
7.5 | tomcat-embed-core-10.1.42.jar | Transitive | 3.5.5 | ❌ |
| CVE-2025-41249 | High |
7.5 | spring-core-6.2.8.jar | Transitive | 3.5.6 | ❌ |
| CVE-2025-41242 |  Medium |
5.9 | detected in multiple dependencies | Transitive | 3.5.5 | ❌ |
| CVE-2025-61795 | Medium |
5.3 | tomcat-embed-core-10.1.42.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-55754
Vulnerable Library - tomcat-embed-core-10.1.42.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.42/8906a203edef16fa6013635925bf9f5d1dbe5639/tomcat-embed-core-10.1.42.jar
Dependency Hierarchy:
- spring-boot-starter-web-3.5.3.jar (Root Library)
- spring-boot-starter-tomcat-3.5.3.jar
- ❌ tomcat-embed-core-10.1.42.jar (Vulnerable Library)
- spring-boot-starter-tomcat-3.5.3.jar
Found in HEAD commit: 2f1a9a9570f4eb6dd31214d496a58b9a9f7e7718
Found in base branch: master
Vulnerability Details
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.
Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
Publish Date: 2025-10-27
URL: CVE-2025-55754
CVSS 3 Score Details (9.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd
Release Date: 2025-10-27
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.45
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.6
Step up your Open Source Security Game with Mend here
CVE-2025-55752
Vulnerable Library - tomcat-embed-core-10.1.42.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.42/8906a203edef16fa6013635925bf9f5d1dbe5639/tomcat-embed-core-10.1.42.jar
Dependency Hierarchy:
- spring-boot-starter-web-3.5.3.jar (Root Library)
- spring-boot-starter-tomcat-3.5.3.jar
- ❌ tomcat-embed-core-10.1.42.jar (Vulnerable Library)
- spring-boot-starter-tomcat-3.5.3.jar
Found in HEAD commit: 2f1a9a9570f4eb6dd31214d496a58b9a9f7e7718
Found in base branch: master
Vulnerability Details
Relative Path Traversal vulnerability in Apache Tomcat.
The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
Publish Date: 2025-10-27
URL: CVE-2025-55752
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog
Release Date: 2025-10-27
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.45
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.6
Step up your Open Source Security Game with Mend here
CVE-2025-48989
Vulnerable Library - tomcat-embed-core-10.1.42.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.42/8906a203edef16fa6013635925bf9f5d1dbe5639/tomcat-embed-core-10.1.42.jar
Dependency Hierarchy:
- spring-boot-starter-web-3.5.3.jar (Root Library)
- spring-boot-starter-tomcat-3.5.3.jar
- ❌ tomcat-embed-core-10.1.42.jar (Vulnerable Library)
- spring-boot-starter-tomcat-3.5.3.jar
Found in HEAD commit: 2f1a9a9570f4eb6dd31214d496a58b9a9f7e7718
Found in base branch: master
Vulnerability Details
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.
Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
Publish Date: 2025-08-13
URL: CVE-2025-48989
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-08-13
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.44
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.5
Step up your Open Source Security Game with Mend here
CVE-2025-41249
Vulnerable Library - spring-core-6.2.8.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/6.2.8/2caf1cef93252f5ef2b7f334b8b4d61f3aecad15/spring-core-6.2.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-3.5.3.jar (Root Library)
- spring-webmvc-6.2.8.jar
- ❌ spring-core-6.2.8.jar (Vulnerable Library)
- spring-webmvc-6.2.8.jar
Found in HEAD commit: 2f1a9a9570f4eb6dd31214d496a58b9a9f7e7718
Found in base branch: master
Vulnerability Details
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-16
URL: CVE-2025-41249
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41249
Release Date: 2025-09-14
Fix Resolution (org.springframework:spring-core): 6.2.11
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.6
Step up your Open Source Security Game with Mend here
CVE-2025-41242
Vulnerable Libraries - spring-beans-6.2.8.jar, spring-webmvc-6.2.8.jar
spring-beans-6.2.8.jar
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/6.2.8/9da1e690f343c30b6ed6eabd5f60ecc5dd0b225a/spring-beans-6.2.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-3.5.3.jar (Root Library)
- spring-webmvc-6.2.8.jar
- ❌ spring-beans-6.2.8.jar (Vulnerable Library)
- spring-webmvc-6.2.8.jar
spring-webmvc-6.2.8.jar
Spring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.2.8/a98cbaba4b55b4fee2d752041130e2e0f7014b27/spring-webmvc-6.2.8.jar
Dependency Hierarchy:
- spring-boot-starter-web-3.5.3.jar (Root Library)
- ❌ spring-webmvc-6.2.8.jar (Vulnerable Library)
Found in HEAD commit: 2f1a9a9570f4eb6dd31214d496a58b9a9f7e7718
Found in base branch: master
Vulnerability Details
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:
- the application is deployed as a WAR or with an embedded Servlet container
- the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization
- the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with Spring resource handling
We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.
Publish Date: 2025-08-18
URL: CVE-2025-41242
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41242
Release Date: 2025-08-18
Fix Resolution (org.springframework:spring-beans): 6.2.10
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.5
Fix Resolution (org.springframework:spring-webmvc): 6.2.10
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.5
Step up your Open Source Security Game with Mend here
CVE-2025-61795
Vulnerable Library - tomcat-embed-core-10.1.42.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.42/8906a203edef16fa6013635925bf9f5d1dbe5639/tomcat-embed-core-10.1.42.jar
Dependency Hierarchy:
- spring-boot-starter-web-3.5.3.jar (Root Library)
- spring-boot-starter-tomcat-3.5.3.jar
- ❌ tomcat-embed-core-10.1.42.jar (Vulnerable Library)
- spring-boot-starter-tomcat-3.5.3.jar
Found in HEAD commit: 2f1a9a9570f4eb6dd31214d496a58b9a9f7e7718
Found in base branch: master
Vulnerability Details
Improper Resource Shutdown or Release vulnerability in Apache Tomcat.
If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue.
Publish Date: 2025-10-27
URL: CVE-2025-61795
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/wm9mx8brmx9g4zpywm06ryrtvd3160pp
Release Date: 2025-10-27
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.110
Step up your Open Source Security Game with Mend here