EUVD-2026-35339
GHSA-wxpp-56q6-5pcg
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionNVD
Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth.
Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
AnalysisAI
Unbounded cache growth in Spring Framework's SpEL evaluator allows remote unauthenticated attackers to exhaust JVM heap memory and cause a Denial of Service across all active Spring Framework branches (5.3.x through 7.0.x). Exploitation is conditional on the application explicitly accepting and evaluating user-supplied SpEL expressions - a non-default architectural pattern - which significantly constrains real-world blast radius compared to what the network-vector CVSS suggests. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target application to explicitly pass user-controlled input to Spring Framework's SpEL expression evaluator - for example, calling ExpressionParser.parseExpression(userInput) or equivalent - which is an opt-in architectural choice, not a default Spring Framework behavior. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L scores 5.3 Medium and correctly reflects unauthenticated, low-complexity network access paired with partial-only availability impact and no confidentiality or integrity exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a web application endpoint - such as a search filter, rules engine, or dynamic query interface - that accepts user text and passes it directly to Spring's SpEL evaluator. The attacker submits a high volume of requests containing structurally distinct but syntactically valid expressions, each generating a unique cache entry in the SpEL evaluation layer; over successive requests the JVM heap fills until the application becomes unresponsive or throws OutOfMemoryError, denying service to legitimate users. … |
| Remediation | The primary fix is to upgrade Spring Framework to a patched release; consult the vendor advisory at https://spring.io/security/cve-2026-41851 for the specific corrected versions, as exact fix version numbers were not included in the available intelligence and must be verified directly against that source. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess
Share
External POC / Exploit Code
Leaving vuln.today