Skip to main content

Spring Hateoas

3 CVEs product

Monthly

CVE-2026-41007 HIGH PATCH This Week

Memory exhaustion in Spring HATEOAS versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3 allows remote unauthenticated attackers to cause denial of service by sending requests with attacker-controlled link relation strings that accumulate indefinitely in an unbounded static cache of StringLinkRelation instances. With a CVSS 7.5 (high availability impact) and no public exploit identified at time of analysis, the issue is straightforward to trigger against any internet-facing Spring HATEOAS endpoint that derives link relations from request data. Not listed in CISA KEV.

Denial Of Service Java Spring Hateoas
NVD HeroDevs VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41006 HIGH PATCH This Week

Denial-of-service via improper access control in Spring HATEOAS affects versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3, where the internal PropertyUtils.createObjectFromProperties method performs reflection-based bean property binding while ignoring Jackson access-control annotations (@JsonIgnore, @JsonProperty access modes). Remote unauthenticated attackers sending crafted Collection+JSON or UBER media type payloads can bind to properties the developer explicitly marked as inbound-restricted, causing high-availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Java Spring Hateoas
NVD HeroDevs VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2023-34036 Maven MEDIUM PATCH This Month

Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Spring Hateoas
NVD
CVSS 3.1
5.3
EPSS
0.4%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory exhaustion in Spring HATEOAS versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3 allows remote unauthenticated attackers to cause denial of service by sending requests with attacker-controlled link relation strings that accumulate indefinitely in an unbounded static cache of StringLinkRelation instances. With a CVSS 7.5 (high availability impact) and no public exploit identified at time of analysis, the issue is straightforward to trigger against any internet-facing Spring HATEOAS endpoint that derives link relations from request data. Not listed in CISA KEV.

Denial Of Service Java Spring Hateoas
NVD HeroDevs VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service via improper access control in Spring HATEOAS affects versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3, where the internal PropertyUtils.createObjectFromProperties method performs reflection-based bean property binding while ignoring Jackson access-control annotations (@JsonIgnore, @JsonProperty access modes). Remote unauthenticated attackers sending crafted Collection+JSON or UBER media type payloads can bind to properties the developer explicitly marked as inbound-restricted, causing high-availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Java Spring Hateoas
NVD HeroDevs VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Spring Hateoas
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy