rundeck · fdevans · Aug 27, 2025 · Aug 27, 2025 · Aug 27, 2025
diff --git a/docs/history/cves/CVE-2025-41242.md b/docs/history/cves/CVE-2025-41242.md
@@ -0,0 +1,13 @@
+---
+order: 51
+---
+
+# CVE-2025-41242
+
+## Path traversal vulnerability on non-compliant Servlet containers
+
+::: danger FALSE POSITIVE
+ Rundeck and Runbook Automation are not vulnerable to this CVE.
+:::
+
+This is a Spring vulnerability, but the [CVE article](https://spring.io/security/cve-2025-41242) says "deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration."  The Rundeck product does not disable disable the default security features.
diff --git a/docs/history/cves/CVE-2025-48924.md b/docs/history/cves/CVE-2025-48924.md
@@ -1,5 +1,5 @@
 ---
-order: 51
+order: 52
 ---
 
 # CVE-2025-48924

diff --git a/docs/history/cves/index.md b/docs/history/cves/index.md
@@ -53,4 +53,6 @@ These are the Security Advisories Rundeck has issued in the past.  It is always
 * [CVE-2024-38819 Path traversal vulnerability in functional web frameworks #2](cve-2024-38819.md).
 * [CVE-2024-38820 Spring Framework's DataBinder false positive](cve-2024-38820.md).
 * [CVE-2024-38827 Locale-sensitive string case conversion methods](cve-2024-38827.md).
-* [CVE-2024-45338 golang/x/net 0.20.0](cve-2024-38819.md).
+* [CVE-2024-45338 golang/x/net 0.20.0](cve-2024-38819.md).
+* [CVE-2025-41242 Spring Path traversal](cve-2025-41242.md).
+* [CVE-2025-48924 Issue in Apache Commons Lang](cve-2025-48924.md)