Spring Framework MVC Path Traversal Flaw Targets Static Resource Handling on Non-Compliant Servlet Containers

A path traversal vulnerability has been identified in Spring Framework MVC applications when deployed on Servlet containers that do not enforce strict URI path canonicalization. The flaw specifically affects applications serving static resources through Spring's resource handling mechanism, raising the risk of unauthorized file access on vulnerable configurations.

Applications become exposed when three conditions align simultaneously: the application is deployed as a WAR or with an embedded Servlet container; the underlying Servlet container fails to reject suspicious URI path sequences as specified in the Jakarta Servlet 6.1 specification; and the application serves static resources using Spring's resource handling capabilities. This combination creates an attack surface that could allow malicious actors to access files outside the intended web root directory.

Testing has confirmed that applications running on Apache Tomcat or Eclipse Jetty remain protected, provided default security features remain enabled. However, the Spring team warns that not all Servlet containers and configuration variants could be verified, prompting a strong recommendation for all users to upgrade to the latest version of org.springframework:spring-web. Organizations running custom or less common Servlet container implementations should treat this as a priority update given the uncertainty around container-specific behaviors.