API Layer 7 Gateway - Spring Framework (CVE-2025-41254)
search cancel

API Layer 7 Gateway - Spring Framework (CVE-2025-41254)

book

Article ID: 424056

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We are using Gateway 11.1.2 OVA. Our security team has identified the below vulnerabilities in their latest scan. 

Note :- The report was taken post applying the Layer7_API_PlatformUpdate_64bit_v11.1-Debian-2025-11-25.L7P patch

Plugin Name Severity CVE
Spring Framework 5.3.x < 5.3.46 / 6.1.x < 6.1.24 / 6.2.x < 6.2.12 STOMP CSRF (CVE-2025-41254) Medium CVE-2025-41254

Environment

API Layer 7 Gateway version 11.1.x

Cause

CVE-2025-41254 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Spring Framework. It specifically affects applications using STOMP over WebSocket messaging, where insufficient origin validation allows attackers to bypass security controls and send unauthorized messages.
 
Vulnerability Overview
  • CVSS Score: 4.3 (Medium).
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N.
  • Impact: A remote attacker can trick an authenticated user into visiting a malicious page, triggering the browser to send unauthorized STOMP messages. This can manipulate application state or trigger unintended business logic.

Resolution

11.1.2, 11.1.3 - version 5.3.37 - Not mitigated

11.2.0 - version 6.2.11 - Not mitigated

We would be addressing upgrade of Spring Framework in our next MPP that is expected to be released by end of Jan 2026.

Additional Information

National Vulnerability Database

CVE Record Information

Powered by Wolken Software