CVE-2024-38819 – Path traversal in Spring Framework functional static resource handling

Severity: None2025-12-19

Security Advisories

Abstract

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

The Oxygen products incorporate Spring Framework (spring-webmvc) as a third‑party library. This advisory was opened to address the potential impact of this third‑party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Feedback v5.1 and olderNone N/A
Oxygen Content Fusion v7.1 and olderNone N/A

Mitigation

None

Detail

CVE-2024-38819

Severity: High

CVSS Score: 7.5

CVE-2024-38819 is a path traversal issue that can affect applications serving static resources through Spring Framework’s functional web stacks (WebMvc.fn or WebFlux.fn). When static resources are served via RouterFunctions from a file system location, crafted HTTP requests may traverse directories and read files accessible to the application process.

We reviewed our usage of Spring Framework components in the impacted services. Our implementations do not serve static resources via RouterFunctions from a file system location and run behind Tomcat, so the vulnerable code path is not present. We assess this finding as not exploitable in our supported configurations.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Vibe Authoring with Oxygen AI Positron 8.0
January 21, 2026

Products

Features

Shop

Resources

Support

Company

© 2002-2025 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor