HIGH 7.5

CVE-2026-41695: Spring Data Commons Denial of Service via Property Path Exhaustion

Spring Data Commons, a widely-used Java framework component, contains a denial-of-service vulnerability in how it processes property path strings. An attacker can send specially crafted requests that cause the application to exhaust system resources (CPU, memory) during property resolution, making the service unavailable to legitimate users. This affects versions 3.4.0 through 3.4.14, 3.5.0 through 3.5.11, and 4.0.0 through 4.0.5.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-17

NVD description (verbatim)

Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the MappingContext property path resolution logic within Spring Data Commons. When attacker-controlled property path strings are passed to this resolution mechanism without adequate guards, they can trigger pathological computation patterns that consume excessive CPU and memory. The issue is classified as CWE-400 (Uncontrolled Resource Consumption), indicating the absence of proper rate limiting or complexity bounds in the parsing logic. The attack requires no authentication or user interaction, making it trivial to exploit from the network.

Business impact

Applications built on vulnerable Spring Data Commons versions become susceptible to resource exhaustion attacks that degrade availability. For services relying on REST endpoints, GraphQL APIs, or query interfaces that expose property path filtering or querying, attackers can trigger denial of service without obtaining credentials or exploiting authentication mechanisms. This can impact SLA compliance, customer-facing uptime, and operational stability. Organizations running microservices architectures using Spring Data are particularly exposed, as a single vulnerable instance can be repeatedly targeted.

Affected systems

Any Java application or service that depends on Spring Data Commons versions 3.4.0–3.4.14, 3.5.0–3.5.11, or 4.0.0–4.0.5 is affected. This includes Spring Data JPA, Spring Data MongoDB, Spring Data REST, and other Spring Data implementation modules that pull in the commons library as a transitive dependency. Applications should audit their dependency trees (via Maven, Gradle, or similar build tooling) to identify whether they reference vulnerable versions. Indirect dependencies are particularly important to check.

Exploitability

This vulnerability requires minimal effort to exploit. An attacker needs only network access to send HTTP requests with malicious property paths to an exposed endpoint. No authentication, special privileges, or user interaction are required. The attack vector is straightforward: craft a request with a deeply nested or computationally expensive property path string and observe the system's response time degrade or the service become unavailable. This makes it attractive for automated scanning and opportunistic attacks. The CVSS score of 7.5 (HIGH) reflects the ease of exploitation and high availability impact, despite the absence of confidentiality or integrity consequences.

Remediation

Upgrade affected Spring Data Commons to patched versions immediately. Verify against the official Broadcom Spring Data advisory for exact patched version numbers for your minor version branch. After patching, rebuild and redeploy affected applications. If immediate patching is not feasible, implement network-level mitigations: rate limit incoming requests by source IP, implement request size limits on property path parameters, and monitor for unusual patterns in request latency or error rates. Apply these controls at API gateways, load balancers, or web application firewalls.

Patch guidance

Consult the Broadcom Spring Data Commons security advisory to determine the correct patched version for your currently deployed version line. Versions 3.4.x, 3.5.x, and 4.0.x may have different patch releases. Verify the patch version against the official vendor announcement. After applying patches, perform integration testing to confirm no regressions in property resolution or query functionality. If you use a dependency management tool (Maven BOM, Gradle platform), update the Spring Data version declaration and rebuild all dependent modules. Test in a staging environment before production rollout.

Detection guidance

Monitor application logs and metrics for signs of resource exhaustion: sustained high CPU usage, memory growth, or increased garbage collection frequency correlating with incoming requests. Log all property path strings submitted to query endpoints and analyze for unusual complexity, nesting depth, or repeated special characters. Implement alerting on response time degradation for query-related endpoints. Network-based detection can identify repeated requests with long or malformed property path parameters sent to vulnerable endpoints. Consider correlating such patterns with source IPs to identify scanning or attack campaigns. Baseline normal property path complexity in your environment and flag outliers.

Why prioritize this

This vulnerability warrants high priority remediation because exploitation is trivial, requires no authentication, and directly impacts service availability. The HIGH CVSS score, combined with the ubiquity of Spring Data in Java microservices architectures, means broad organizational exposure. Unlike vulnerabilities requiring specific configurations or user interaction, this is a straightforward resource exhaustion flaw that can be triggered on any exposed endpoint using Spring Data's property resolution. Delaying patches increases the window for automated exploitation during the vulnerability disclosure period.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects: (1) Network-accessible attack surface (AV:N), (2) Low complexity attack requiring no special conditions (AC:L), (3) No authentication required (PR:N), (4) No user interaction needed (UI:N), (5) Single-target scope (S:U), (6) No confidentiality or integrity impact (C:N, I:N), but (7) High availability impact from resource exhaustion (A:H). The absence of KEV status indicates this is not currently on CISA's Known Exploited Vulnerabilities catalog, but the simplicity of exploitation suggests proactive patching is critical before threat actors develop weaponized tooling.

Frequently asked questions

Do I need authentication credentials to exploit this vulnerability?

No. The vulnerability does not require authentication. Any attacker with network access to an endpoint that accepts property path parameters can craft a malicious request to trigger resource exhaustion.

What happens if we apply only partial mitigations like rate limiting without patching?

Rate limiting can reduce the immediate attack surface and slow exploitation, but it does not fix the underlying flaw. A patient attacker or determined adversary can still cause denial of service, albeit at a slower pace. Patching is the definitive remediation; mitigations buy time for patching and deployment.

How do I determine if my application uses the vulnerable Spring Data Commons versions?

Review your application's dependency tree using Maven (mvn dependency:tree) or Gradle (gradle dependencies). Look for spring-data-commons with version 3.4.0–3.4.14, 3.5.0–3.5.11, or 4.0.0–4.0.5. Check both direct and transitive dependencies, as Spring Data modules (JPA, MongoDB, etc.) often pull in commons automatically.

Are Spring Data REST endpoints the only attack surface?

No. Any application code that directly or indirectly uses MappingContext property path resolution with user-supplied input is vulnerable. This includes REST controllers accepting query filters, GraphQL resolvers, and custom repository implementations. Identify all endpoints or services that accept property path parameters and test them.

This analysis is based on the CVE record and vendor advisory information available as of the publication date. Specific patch version numbers, SLAs, and detailed remediation steps should be verified directly against the Broadcom Spring Data Commons security advisory and your organization's internal policies. This assessment does not constitute professional security advice tailored to your specific infrastructure; conduct a formal risk assessment in your environment before deciding on remediation timelines. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).