Spring Framework 6.0.8 Exposes High-Severity CVE-2025-41249 Vulnerability in Core Library

A critical security alert has been raised for the widely used Spring Framework, with its version 6.0.8 containing multiple vulnerabilities, including a high-severity flaw (CVE-2025-41249) rated 7.5 on the CVSS scale. The vulnerability resides directly within the `spring-core-6.0.8.jar` library, a foundational component for countless Java applications. This finding, flagged in a GitHub security scan, indicates a direct and reachable path for potential exploitation within dependent projects, such as those using the `spring-boot-starter-data-couchbase` module.

The scan identified four vulnerabilities in total within the `spring-context-support-6.0.8.jar`. The most severe, CVE-2025-41249, is classified as a direct dependency vulnerability. While the exploit maturity is currently 'Not Defined' and the EPSS score is below 1%, the high base CVSS score signals significant potential risk if the vulnerability is leveraged. The issue is not isolated; it is part of a cluster of CVEs (including CVE-2025-41242) affecting this specific release train of the Spring ecosystem, highlighting a concerning security posture for this version.

For development and security teams, immediate remediation is available. The maintainers, Spring Projects, have addressed these issues in later releases. The fix for CVE-2025-41249 is specifically available in `spring-core` version 6.2.11. The presence of these vulnerabilities in a core library like `spring-context-support`—which provides additional context infrastructure—poses a broad supply chain risk. Organizations relying on Spring Boot starters or any module pulling in version 6.0.8 dependencies are under pressure to audit their builds and upgrade to the patched versions to mitigate potential security breaches.