BestHub
Sign in
Information Security 5 min read

Why Spring Framework’s RFD Bug Lets Attackers Download Malicious Files—and How to Patch It

Spring’s latest security advisory reveals a critical Reflection File Download (RFD) vulnerability affecting multiple Spring Framework versions, allowing crafted requests to force users to download malicious files, and provides detailed conditions, unaffected scenarios, version impact, and recommended remediation steps.

Java Architecture Diary
Java Architecture Diary
Java Architecture Diary
Why Spring Framework’s RFD Bug Lets Attackers Download Malicious Files—and How to Patch It

Vulnerability Overview

Spring has issued a critical security warning about a Reflection File Download (RFD) vulnerability that can enable attackers to craft requests that cause users to download malicious files.

Vulnerability Details

Root Cause

The RFD issue arises when all of the following conditions are met in a Spring Framework application:

Use of

org.springframework.http.ContentDisposition

to set the

Content-Disposition

response header.

Setting the filename via

ContentDisposition.Builder#filename(String, Charset)

.

The filename value originates from user input.

The application does not sanitize or validate the user input.

The attacker can inject malicious commands into the response content.

Unaffected Scenarios

If any of the following conditions are true, the application is not vulnerable:

The application does not set a

Content-Disposition

header.

The header is not set using

org.springframework.http.ContentDisposition

.

The filename is set via

ContentDisposition.Builder#filename(String)

or

ContentDisposition.Builder#filename(String, ASCII)

(i.e., not from user input).

The filename does not come from user input.

The application properly sanitizes user input, preventing malicious injection.

Impact Scope

Affected Spring Framework Versions

Versions impacted by the vulnerability:

6.2.x (6.2.0 – 6.2.7)

6.1.x (6.1.0 – 6.1.20)

6.0.x (6.0.5 – 6.0.28)

Corresponding Spring Boot Versions

Mapping of fixed Spring Framework releases to Spring Boot versions:

Spring Framework 6.2.8 → Spring Boot 3.4.7, 3.5.1 (unreleased) – open‑source support.

Spring Framework 6.1.21 → Spring Boot 3.3.13 (unreleased) – open‑source support.

Spring Framework 6.0.29 → Spring Boot 3.0, 3.1, 3.2 (commercial support).

Note: Earlier unsupported versions are not affected by this vulnerability.

Mitigation

Because the newer Spring Boot releases are not yet publicly available, it is recommended to upgrade the Spring Framework version via the

spring-framework-bom

BOM to ensure the fix is applied.

<code>&lt;dependency&gt;
  &lt;groupId&gt;org.springframework&lt;/groupId&gt;
  &lt;artifactId&gt;spring-framework-bom&lt;/artifactId&gt;
  &lt;version&gt;6.2.8&lt;/version&gt; <!-- or 6.1.21 -->
  &lt;type&gt;pom&lt;/type&gt;
  &lt;scope&gt;import&lt;/scope&gt;
&lt;/dependency&gt;</code>
Spring Bootsecurity patchSpring FrameworkContent-DispositionRFD vulnerability
Java Architecture Diary
Written by

Java Architecture Diary

Committed to sharing original, high‑quality technical articles; no fluff or promotional content.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment