Spring Framework Vulnerability GHSA-4773-3jfm-qmx3 Exposes File Disclosure Risk in WebMVC

A newly disclosed vulnerability in the widely used Spring Framework poses a medium-severity risk of unauthorized file disclosure. Tracked as GHSA-4773-3jfm-qmx3 with a CVSS score of 5.9, the flaw resides in the `org.springframework:spring-webmvc` component, specifically version 7.0.5. The core issue allows attackers to potentially read files from outside the intended directories when applications use Java scripting engines like JRuby or Jython for template views. The vulnerability is not isolated to the latest version. It affects a broad range of Spring Framework releases, including all versions from 7.0.0 through 7.0.5, 6.2.0 through 6.2.16, 6.1.0 through 6.1.25, and 5.3.0 through 5.3.46. This wide scope impacts both Spring MVC and Spring WebFlux applications, two foundational technologies for building Java web services. The immediate affected project identified is 'modular-rag', but the underlying library's prevalence suggests many more deployments could be at risk. This exposure creates a direct path for information leakage, potentially compromising sensitive configuration files, source code, or other data stored on the server. While the severity is rated as medium, the combination of Spring's enterprise ubiquity and the specific nature of the flaw—exploiting misconfigured script template views—demands prompt scrutiny from development and security teams. Organizations must assess their dependency trees and apply the necessary patches or configuration hardening to mitigate the file disclosure risk.