Skip to main content

Spring Framework CVE-2026-41842

| EUVD-2026-35330 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-09 vmware GHSA-x23c-287f-qqv5
Denial Of Service Java
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 06:01 EUVD
Analysis Generated
Jun 09, 2026 - 05:08 vuln.today

DescriptionNVD

Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources.

Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Articles & Coverage 1

News 9 New Java Vulnerabilities - 1 Critical, 8 High Severity Jun 10, 2026

AnalysisAI

Denial of service in Spring Framework's Spring MVC and WebFlux static resource resolution allows remote unauthenticated attackers to exhaust application resources, affecting versions 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7. The CVSS 7.5 score reflects high-impact availability damage over the network with no privileges or user interaction, and at time of analysis no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-reachable Spring web app
Delivery
Probe static resource paths
Exploit
Send crafted resource resolution requests
Execution
Exhaust CPU/threads in resolver
Impact
Application stops serving traffic
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target application is built on an affected Spring Framework version (5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, or 7.0.0-7.0.7) and that it exposes static resource handling via Spring MVC or Spring WebFlux - i.e., it has registered resource handlers (ResourceHttpRequestHandler/ResourceWebHandler) reachable by the attacker, which is the default for the vast majority of Spring web applications serving any static content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H describes a network-reachable, low-complexity, fully unauthenticated attack with no user interaction and high availability impact - the textbook profile of a remotely triggerable DoS, which aligns with the 7.5 base score and CWE-400. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker on the internet sends a small volume of crafted HTTP requests to a Spring MVC or WebFlux application's static resource endpoint (for example a path mapped by addResourceHandlers such as /static/**), where each request triggers disproportionately expensive resolution work in the framework. As the request handlers or worker threads tie up CPU, memory, or thread-pool slots, the application stops serving legitimate traffic, producing a denial of service without ever authenticating or interacting with a user. …
Remediation Patch available per vendor advisory at https://spring.io/security/cve-2026-41842 - upgrade Spring Framework to the first fixed release on your supported branch (the advisory lists fixed versions above 7.0.7, 6.2.18, 6.1.27, and 5.3.48; consult the advisory for the exact build number for your branch as the input does not provide a single canonical fix version). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Conduct complete inventory of Spring Framework usage across all applications; identify systems running versions 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, or 7.0.0-7.0.7; begin deploying WAF rules to rate-limit requests to static resource paths. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10771 MEDIUM POC
5.5 Jun 03

Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41855 HIGH
8.1 Jun 09

Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess

Share

CVE-2026-41842 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy