CVE-2024-38819 – Path traversal in Spring Framework functional static resource handling
Severity: None2025-12-19
Abstract
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
The Oxygen products incorporate Spring Framework (spring-webmvc) as a third‑party library. This advisory was opened to address the potential impact of this third‑party library vulnerability.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen Feedback v5.3 and older | None | N/A |
| Oxygen Content Fusion v8.2.1 and older | None | Oxygen Content Fusion 9.0 build 2026012715 |
Detail
CVE-2024-38819
Severity: High
CVSS Score: 7.5
CVE-2024-38819 is a path traversal issue that can affect applications serving static resources through Spring Framework’s functional web stacks (WebMvc.fn or WebFlux.fn). When static resources are served via RouterFunctions from a file system location, crafted HTTP requests may traverse directories and read files accessible to the application process.
We reviewed our usage of Spring Framework components in the impacted services. Our implementations do not serve static resources via RouterFunctions from a file system location and run behind Tomcat, so the vulnerable code path is not present. We assess this finding as not exploitable in our supported configurations.
Starting with Content Fusion v8.0 we changed the runtime mechanism so that the application runs inside a Tomcat container. According to the CVE description, this deployment model is one of the cases in which the application is not vulnerable.
Starting with Content Fusion v9.0, we fixed this vulnerability by updating the affected library to a version that is not vulnerable to CVE-2024-38819.
