EUVD-2026-35337
GHSA-775g-4xr8-78h8
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS).
Affected versions: Spring Framework 5.3.0 through 5.3.48.
Articles & Coverage 1
AnalysisAI
Denial of service in Spring Framework 5.3.0 through 5.3.48 allows remote unauthenticated attackers to exhaust server resources by submitting crafted Spring Expression Language (SpEL) expressions that trigger an integer overflow during evaluation. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerable application must evaluate attacker-controlled input as a SpEL expression - typical exposure points include endpoints that accept user-defined rules, query filters, templated strings, or @Value-style expressions sourced from untrusted data. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:N/AC:L/PR:N/UI:N indicates a network-reachable, low-complexity, unauthenticated attack path, but the impact is bounded to availability (A:H, C:N/I:N) - there is no path to code execution or data disclosure from this bug alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a Spring-based web endpoint that evaluates user-supplied SpEL - for example a search filter, rule editor, or templated message field - and submits a crafted expression whose arithmetic causes an integer overflow during evaluation. The overflow drives the evaluator into excessive CPU or memory consumption, and repeated requests starve the worker pool until the service becomes unresponsive to legitimate users. |
| Remediation | Patch availability is not explicitly stated in the provided input - refer to the vendor advisory at https://spring.io/security/cve-2026-41849 for the fixed 5.3.x maintenance release and any 6.x guidance, and upgrade spring-core/spring-expression to the listed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all applications and systems running Spring Framework 5.3.0-5.3.48 using software asset management and dependency scanning tools. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess
Share
External POC / Exploit Code
Leaving vuln.today