Skip to main content

Spring Retry

1 CVEs product

Monthly

CVE-2026-41710 MEDIUM PATCH This Month

Stateful retry cache exhaustion in Spring Retry 1.3.0-1.3.4 and 2.0.0-2.0.12 allows an unauthenticated remote attacker to permanently disable all retry and circuit breaker logic application-wide by flooding the service with uniquely crafted failure-triggering requests until the bounded cache is saturated. Once exhausted, the cache enters a terminal rejection state that persists until the application is restarted - making this a durable, high-impact denial-of-service condition against Java services relying on Spring Retry for resilience. No public exploit has been identified at time of analysis, and CISA KEV listing is absent, but the network-accessible unauthenticated attack surface makes this relevant to any internet-facing Spring application using stateful retry patterns.

Denial Of Service Java Spring Retry
NVD HeroDevs VulDB
CVSS 3.1
5.9
EPSS
0.0%
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Stateful retry cache exhaustion in Spring Retry 1.3.0-1.3.4 and 2.0.0-2.0.12 allows an unauthenticated remote attacker to permanently disable all retry and circuit breaker logic application-wide by flooding the service with uniquely crafted failure-triggering requests until the bounded cache is saturated. Once exhausted, the cache enters a terminal rejection state that persists until the application is restarted - making this a durable, high-impact denial-of-service condition against Java services relying on Spring Retry for resilience. No public exploit has been identified at time of analysis, and CISA KEV listing is absent, but the network-accessible unauthenticated attack surface makes this relevant to any internet-facing Spring application using stateful retry patterns.

Denial Of Service Java Spring Retry
NVD HeroDevs VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy