EUVD-2026-35338
GHSA-r5w3-xv2f-j59q
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability.
Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Articles & Coverage 1
AnalysisAI
Algorithmic denial of service in Spring Framework SpEL evaluation allows remote unauthenticated attackers to exhaust CPU/memory resources by submitting specially crafted Spring Expression Language expressions, degrading or crashing affected applications. Impacts Spring Framework 5.3.x through 7.0.x in any application that evaluates user-supplied SpEL. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application explicitly evaluates attacker-supplied strings as SpEL expressions - for example, exposing SpelExpressionParser to a request parameter, header, body field, or stored value originating from an untrusted source. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H confirms network-reachable, low-complexity, unauthenticated exploitation with high availability impact only - consistent with a DoS primitive rather than RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an internet-facing endpoint (e.g., a dynamic filter, rule, or query parameter) that the application passes to SpEL evaluation, then submits a small but pathologically structured expression that forces the evaluator into worst-case algorithmic behavior. A handful of concurrent requests pin worker threads at 100% CPU, exhausting the Tomcat/Netty thread pool and rendering the service unavailable to legitimate users without requiring any authentication or user interaction. |
| Remediation | Upgrade Spring Framework to a fixed maintenance release on your current branch - patch available per vendor advisory at https://spring.io/security/cve-2026-41850, with fix versions beyond 7.0.7, 6.2.18, 6.1.27, and 5.3.48 respectively; consult the advisory for the exact published patched version, as the input data does not specify it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Spring Framework instances across production and non-production environments; determine which applications evaluate user-controlled SpEL expressions; enable logging on expression evaluation endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess
Share
External POC / Exploit Code
Leaving vuln.today