EUVD-2026-35346
GHSA-439x-6767-44cv
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings.
Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
Articles & Coverage 1
AnalysisAI
Memory exhaustion in Spring HATEOAS versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3 allows remote unauthenticated attackers to cause denial of service by sending requests with attacker-controlled link relation strings that accumulate indefinitely in an unbounded static cache of StringLinkRelation instances. With a CVSS 7.5 (high availability impact) and no public exploit identified at time of analysis, the issue is straightforward to trigger against any internet-facing Spring HATEOAS endpoint that derives link relations from request data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application instantiate StringLinkRelation (typically via LinkRelation.of() or HATEOAS representation assemblers) using a value derived from attacker-controlled HTTP input such as a path variable, query parameter, header, or request body field - applications that only use compile-time-constant rels (IanaLinkRelations or static strings) are not exploitable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scripts a loop that issues HTTP requests to a public Spring REST endpoint, varying a path or query parameter that the application uses to construct a HATEOAS link relation (e.g., a relation-name field or a resource type used in a self/related link). Each unique value adds a permanent StringLinkRelation entry to the static cache; over minutes to hours the JVM heap fills, garbage collection thrashes, and the service crashes with OutOfMemoryError, taking down all tenants of that JVM. … |
| Remediation | Upgrade Spring HATEOAS to a fixed release on each maintained branch per the vendor advisory at https://spring.io/security/cve-2026-41007 - specifically a version newer than 1.5.6 (1.5.x line), 2.3.4 (2.3.x), 2.4.1 (2.4.x), 2.5.2 (2.5.x), or 3.0.3 (3.0.x); exact fix versions should be confirmed from that advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all applications using Spring HATEOAS and identify which are running versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, or 3.0.0-3.0.3. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess
Share
External POC / Exploit Code
Leaving vuln.today