CVE-2026-41007: Spring HATEOAS Unbounded Cache Denial-of-Service Vulnerability
Spring HATEOAS, a widely used library for building REST APIs with hypermedia support, contains a denial-of-service vulnerability stemming from an unbound cache. Attackers can exploit this by sending specially crafted requests that cause the application to accumulate StringLinkRelation objects indefinitely, eventually exhausting memory and crashing the service. The vulnerability affects multiple versions across the 1.5, 2.3, 2.4, 2.5, and 3.0 release lines.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-770
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-27
NVD description (verbatim)
Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
Spring HATEOAS maintains a static cache of StringLinkRelation instances that is keyed on attacker-controlled input strings without size limits. An unauthenticated, network-accessible attacker can trigger cache growth by submitting requests with varying link relation values, causing unbounded memory consumption. The vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling) and receives a CVSS 3.1 score of 7.5 (HIGH) due to its network accessibility, low attack complexity, and direct availability impact.
Business impact
Organizations deploying Spring HATEOAS face potential service disruption through memory exhaustion attacks. REST API endpoints become unresponsive or crash without authentication barriers, affecting availability for legitimate users. This is particularly critical for companies relying on Spring-based microservices for customer-facing or internal APIs, as the attack requires no credentials and can be executed remotely with minimal overhead.
Affected systems
VMware Spring HATEOAS versions 1.5.0–1.5.6, 2.3.0–2.3.4, 2.4.0–2.4.1, 2.5.0–2.5.2, and 3.0.0–3.0.3 are vulnerable. Organizations should audit their Maven or Gradle dependencies to identify which release lines are in use and cross-reference against this list. The vulnerability spans both older and recent major versions, requiring attention across diverse application portfolios.
Exploitability
Exploitation is straightforward: the attack vector is network-based, requires no authentication, and demands low complexity. An attacker needs only to craft HTTP requests with varying link relation header values or parameters to trigger cache pollution. No user interaction is required. The vulnerability is immediately actionable once a vulnerable version is deployed in a network-accessible location, making it a high-priority concern for public-facing APIs.
Remediation
Affected organizations must upgrade Spring HATEOAS to patched versions beyond the identified vulnerable ranges. Verify the exact patch versions available from the VMware Spring HATEOAS release notes and apply the latest stable release for your active version line. As an interim mitigation, implement network-level rate limiting or request filtering on endpoints that process link relations to reduce attack surface before patching becomes feasible.
Patch guidance
Consult the official VMware Spring HATEOAS repository and release notes to identify the minimum patched versions for each release line (1.5.x, 2.3.x, 2.4.x, 2.5.x, 3.0.x). Update your build configuration (pom.xml or build.gradle) to specify the patched version and re-test REST API endpoints to confirm normal hypermedia link generation. Prioritize updating to the latest stable release in your active version line to benefit from other security and stability improvements.
Detection guidance
Monitor application memory usage patterns for unexpected growth correlated with API requests containing unusual or high-cardinality link relation values. Enable debug logging in Spring HATEOAS to observe cache behavior. Search logs for requests with atypical or malformed link relation parameters. Implement heap dump analysis during suspected attacks to confirm StringLinkRelation cache bloat. Network-based detection can flag requests with repetitive variations in header or query parameters targeting link relation handling.
Why prioritize this
This vulnerability combines high exploitability (network-accessible, no auth required, low complexity) with direct availability impact. The unbounded cache is a design flaw rather than a narrow edge case, making it likely to trigger in normal operation if an attacker is present. The broad version range affected means most organizations using Spring HATEOAS have some exposure. Immediate inventory and patching efforts are warranted.
Risk score, explained
The CVSS 7.5 (HIGH) score reflects network accessibility (AV:N), low attack complexity (AC:L), no privilege or user interaction requirements (PR:N/UI:N), and direct impact on availability (A:H). The absence of confidentiality or integrity impact prevents a CRITICAL rating, but the ease of exploitation and potential for widespread disruption across Spring-based infrastructure justifies urgent remediation planning.
Frequently asked questions
Does this vulnerability require authentication to exploit?
No. The vulnerability is exploitable by any unauthenticated attacker with network access to the application. No credentials, API keys, or user interaction are needed.
What is the difference between the affected version ranges (1.5, 2.3, 2.4, 2.5, 3.0)?
These represent different major and minor release lines of Spring HATEOAS. Organizations may have dependencies on any of these lines depending on when they last updated. You must check all active applications and identify which versions they use, then upgrade within each line to the patched release.
Can I mitigate this without upgrading immediately?
Partial mitigation is possible through network-level rate limiting, request filtering on endpoints that process link relations, or temporarily restricting API access. However, these are temporary measures; patching is the definitive fix.
How do I know if my application is vulnerable?
Check your Maven or Gradle dependency tree for spring-hateoas. If the version matches any of the ranges listed (1.5.0–1.5.6, 2.3.0–2.3.4, 2.4.0–2.4.1, 2.5.0–2.5.2, 3.0.0–3.0.3), your application is vulnerable. Use `mvn dependency:tree` or `gradle dependencies` to confirm.
This analysis is based on published vulnerability data as of the date of authoring. Versions, patch statuses, and mitigation strategies should be verified against official VMware Spring HATEOAS advisories and release notes. Testing in a non-production environment is strongly recommended before applying patches. This analysis does not constitute legal, compliance, or vendor-specific guidance; consult your organization's security team and vendor support for context-specific advice. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2026-41851MEDIUMSpring Framework SpEL Denial of Service Vulnerability
- CVE-2025-46638HIGHDell BSAFE SSL-J Resource Exhaustion DoS Vulnerability
- CVE-2026-28299HIGHSolarWinds Web Help Desk Denial-of-Service Vulnerability – CVSS 8.2
- CVE-2026-34077HIGHReact Router XSS in RSC Redirect Handling – Patch Guidance
- CVE-2026-40983HIGHMicrometer gRPC Denial-of-Service Vulnerability
- CVE-2026-40984HIGHMicrometer Denial-of-Service Vulnerability – HTTP Request Handling Flaw
- CVE-2026-42570HIGHSvelte Devalue Denial-of-Service via Sparse Array Deserialization