EUVD-2026-35336
GHSA-659m-px2c-25wj
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionNVD
Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path).
Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
AnalysisAI
ReDoS (Regular Expression Denial of Service) in Spring Framework's AntPathMatcher exposes applications to partial availability loss when an attacker can supply a crafted pattern string consumed by match(), matchStart(), or extractUriTemplateVariables(). Affected branches span all major actively maintained lines - 5.3.x through 7.0.x - covering a wide installed base across Java enterprise deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the vulnerable application passes attacker-controlled data as the pattern argument (not the path argument) to one or more of: AntPathMatcher.match(), AntPathMatcher.matchStart(), or AntPathMatcher.extractUriTemplateVariables(). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) correctly categorizes this as a low-severity issue requiring significant preconditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a Spring-based application endpoint that accepts a user-controlled string used as an AntPathMatcher pattern - for example, a custom URL routing API, a dynamic resource resolver, or a misconfigured security filter that evaluates user-provided path expressions. The attacker submits a specially crafted pattern string designed to trigger catastrophic backtracking in the regex engine, causing the processing thread to spin at high CPU for an extended period. … |
| Remediation | The primary remediation is to upgrade to the next patched release within the affected branch in use; consult the vendor advisory at https://spring.io/security/cve-2026-41848 for exact fixed version numbers, as they were not included in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess
Share
External POC / Exploit Code
Leaving vuln.today