Preventing Path Traversal in Spring MVC/Fn: Vulnerability Details and Fixes

Description

Applications that serve static resources using the Web framework

WebMvc.fn

or

WebFlux.fn

can be vulnerable to path‑traversal attacks. An attacker can craft malicious HTTP requests to read any file on the file system that the Spring process can access.

The vulnerability is exploitable when both of the following conditions are met:

The static resource is served via

RouterFunctions

.

The resource handling is explicitly configured with a location using

FileSystemResource

.

The attack is blocked if either of the following is true:

Spring Security HttpFirewall is enabled (see https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html).

The application runs on Tomcat or Jetty, which reject such malicious requests.

Affected Spring Products and Versions

Spring Framework

5.3.0 – 5.3.39

6.0.0 – 6.0.23

6.1.0 – 6.1.12

Older, unsupported versions are also affected

Spring Boot

2.7.0 – 2.7.18

3.0.0 – 3.0.13

3.1.0 – 3.1.12

3.2.0 – 3.2.9

3.3.0 – 3.3.3

Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to the patched releases:

5.3.x → 5.3.40 (Enterprise edition only)

6.0.x → 6.0.24 (Enterprise edition only)

6.1.x → 6.1.13 (Open‑source edition)

Since open‑source support for Spring Framework 5.3.x and 6.0.x ended recently, users of older, unsupported versions can enable Spring Security’s HttpFirewall or switch to Tomcat or Jetty as the web server, as both reject the malicious requests. (Note: older Tomcat/Jetty versions have other vulnerabilities; use recent, maintained releases.)

Spring‑boot 3.2.10 and 3.3.4, which include the security fix, are scheduled for release on September 19.

Conclusion

The fix commit for this vulnerability can be found at https://github.com/spring-projects/spring-framework/commit/d86bf8b2056429edf5494456cffcb2b243331c49.

This vulnerability is severe—more critical than the previous DDoS issue. Projects that allow local file uploads and serve those files through Spring should treat it with high priority. Users of Undertow are advised to route file access through Nginx instead of Spring when possible.