Spring HATEOAS Deserialization and Cache Exhaustion

Denial-of-service via improper access control in Spring HATEOAS affects versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3, where the internal PropertyUtils.createObjectFromProperties method performs reflection-based bean property binding while ignoring Jackson access-control annotations (@JsonIgnore, @JsonProperty access modes). Remote unauthenticated attackers sending crafted Collection+JSON or UBER media type payloads can bind to properties the developer explicitly marked as inbound-restricted, causing high-availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Memory exhaustion in Spring HATEOAS versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3 allows remote unauthenticated attackers to cause denial of service by sending requests with attacker-controlled link relation strings that accumulate indefinitely in an unbounded static cache of StringLinkRelation instances. With a CVSS 7.5 (high availability impact) and no public exploit identified at time of analysis, the issue is straightforward to trigger against any internet-facing Spring HATEOAS endpoint that derives link relations from request data. Not listed in CISA KEV.