spring-boot-starter-data-jpa-3.5.3.jar: 2 vulnerabilities (highest severity is: 7.5) #30
Description
Vulnerable Library - spring-boot-starter-data-jpa-3.5.3.jar
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/6.2.8/9da1e690f343c30b6ed6eabd5f60ecc5dd0b225a/spring-beans-6.2.8.jar
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (spring-boot-starter-data-jpa version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-41249 |  High |
7.5 | spring-core-6.2.8.jar | Transitive | 3.5.6 | ❌ |
| CVE-2025-41242 |  Medium |
5.9 | spring-beans-6.2.8.jar | Transitive | 3.5.5 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-41249
Vulnerable Library - spring-core-6.2.8.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/6.2.8/2caf1cef93252f5ef2b7f334b8b4d61f3aecad15/spring-core-6.2.8.jar
Dependency Hierarchy:
- spring-boot-starter-data-jpa-3.5.3.jar (Root Library)
- spring-data-jpa-3.5.1.jar
- ❌ spring-core-6.2.8.jar (Vulnerable Library)
- spring-data-jpa-3.5.1.jar
Found in base branch: master
Vulnerability Details
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-16
URL: CVE-2025-41249
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41249
Release Date: 2025-09-14
Fix Resolution (org.springframework:spring-core): 6.2.11
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-jpa): 3.5.6
Step up your Open Source Security Game with Mend here
CVE-2025-41242
Vulnerable Library - spring-beans-6.2.8.jar
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/6.2.8/9da1e690f343c30b6ed6eabd5f60ecc5dd0b225a/spring-beans-6.2.8.jar
Dependency Hierarchy:
- spring-boot-starter-data-jpa-3.5.3.jar (Root Library)
- spring-data-jpa-3.5.1.jar
- ❌ spring-beans-6.2.8.jar (Vulnerable Library)
- spring-data-jpa-3.5.1.jar
Found in base branch: master
Vulnerability Details
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:
- the application is deployed as a WAR or with an embedded Servlet container
- the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization
- the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with Spring resource handling
We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.
Publish Date: 2025-08-18
URL: CVE-2025-41242
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41242
Release Date: 2025-08-18
Fix Resolution (org.springframework:spring-beans): 6.2.10
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-jpa): 3.5.5
Step up your Open Source Security Game with Mend here