Spring Security Advisories

CVE-2015-5211 RFD Attack in Spring Framework

HIGH | OCTOBER 15, 2015 | CVE-2015-5211


Under some situations, the Spring Framework is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

For details and concrete examples see the very helpful RFD paper from Trustwave.

Affected Spring Products and Versions

  • Spring Framework 3.2.0 to 3.2.14
  • Spring Framework 4.0.0 to 4.1.7
  • Spring Framework 4.2.0 to 4.2.1
  • Other unsupported versions are also affected


Users of affected Spring Framework versions should upgrade as follows:

  • For 3.2.x upgrade to 3.2.15+.
  • For 4.0.x and 4.1.x upgrade to 4.1.8+.
  • For 4.2.x upgrade to 4.2.2+.

In the above mentioned versions Spring MVC checks if the URL contains a file extension prior to writing with an HttpMessageConverter, and if the extension is unknown a “Content-Disposition” response header is added to suggest the download filename “f.txt”. The list of “known” extensions by default includes the ones associated with the built-in HttpMessageConverter implementations as well as any additional extensions explicitly registered for content negotiation purposes. For 4.x the fix also includes URL checks for SockJS URLs and validation of the JSONP callback parameter in all areas where JSONP is supported.

Simply upgrading to the above mentioned versions will protect applications against RFD attacks. Some further steps can be also be taken:

  • Encode rather than escape JSON responses. This is also an OWASP XSS recommendation. For an example of how to do that with Spring see https://github.com/rwinch/spring-jackson-owasp.
  • Configure suffix pattern matching to be turned off or restricted to explicitly registered suffixes only.
  • Configure content negotiation with the properties “useJaf” and “ignoreUknownPathExtension” set to false which would result in a 406 response for URLs with unknown extensions. Note however that this may not be an option if URLs are naturally expected to have a dot towards the end.
  • Add 'X-Content-Type-Options: nosniff' header to responses. Spring Security 4 does this by default.


RFD attacks were described by Trustwave in a paper. The issue in the Spring Framework was responsibly reported to Pivotal by Alvaro Muñoz from HPE Security Research. Special thanks to Toshiaki Maki and Tomoyuki Ikeya from NTT DATA Corporation for helping to verify the solution and identifying additional ways to exploit the vulnerability.


  • 2015-Oct-15: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all

© 2023 VMware, Inc. or its affiliates. Terms of Use PrivacyTrademark Guidelines Your California Privacy Rights Cookie Settings

Apache®, Apache Tomcat®, Apache Kafka®, Apache Cassandra™, and Apache Geode™ are trademarks or registered trademarks of the Apache Software Foundation in the United States and/or other countries. Java™, Java™ SE, Java™ EE, and OpenJDK™ are trademarks of Oracle and/or its affiliates. Kubernetes® is a registered trademark of the Linux Foundation in the United States and other countries. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. Windows® and Microsoft® Azure are registered trademarks of Microsoft Corporation. “AWS” and “Amazon Web Services” are trademarks or registered trademarks of Amazon.com Inc. or its affiliates. All other trademarks and copyrights are property of their respective owners and are only mentioned for informative purposes. Other names may be trademarks of their respective owners.