Why Spring Framework’s RFD Bug Lets Attackers Download Malicious Files—and How to Patch It
Spring’s latest security advisory reveals a critical Reflection File Download (RFD) vulnerability affecting multiple Spring Framework versions, allowing crafted requests to force users to download malicious files, and provides detailed conditions, unaffected scenarios, version impact, and recommended remediation steps.
Vulnerability Overview
Spring has issued a critical security warning about a Reflection File Download (RFD) vulnerability that can enable attackers to craft requests that cause users to download malicious files.
Vulnerability Details
Root Cause
The RFD issue arises when all of the following conditions are met in a Spring Framework application:
Use of org.springframework.http.ContentDisposition to set the Content-Disposition response header.
Setting the filename via ContentDisposition.Builder#filename(String, Charset).
The filename value originates from user input.
The application does not sanitize or validate the user input.
The attacker can inject malicious commands into the response content.
Unaffected Scenarios
If any of the following conditions are true, the application is not vulnerable:
The application does not set a Content-Disposition header.
The header is not set using org.springframework.http.ContentDisposition.
The filename is set via ContentDisposition.Builder#filename(String) or ContentDisposition.Builder#filename(String, ASCII) (i.e., not from user input).
The filename does not come from user input.
The application properly sanitizes user input, preventing malicious injection.
Impact Scope
Affected Spring Framework Versions
Versions impacted by the vulnerability:
6.2.x (6.2.0 – 6.2.7)
6.1.x (6.1.0 – 6.1.20)
6.0.x (6.0.5 – 6.0.28)
Corresponding Spring Boot Versions
Mapping of fixed Spring Framework releases to Spring Boot versions:
Spring Framework 6.2.8 → Spring Boot 3.4.7, 3.5.1 (unreleased) – open‑source support.
Spring Framework 6.1.21 → Spring Boot 3.3.13 (unreleased) – open‑source support.
Spring Framework 6.0.29 → Spring Boot 3.0, 3.1, 3.2 (commercial support).
Note: Earlier unsupported versions are not affected by this vulnerability.
Mitigation
Because the newer Spring Boot releases are not yet publicly available, it is recommended to upgrade the Spring Framework version via the spring-framework-bom BOM to ensure the fix is applied.
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>6.2.8</version> <!-- or 6.1.21 -->
<type>pom</type>
<scope>import</scope>
</dependency>Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Java Architecture Diary
Committed to sharing original, high‑quality technical articles; no fluff or promotional content.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.