MEDIUM 5.9

CVE-2026-41710: Spring Retry Cache Exhaustion Denial of Service

Spring Retry, a popular Java retry library used across enterprise applications, contains a vulnerability that allows attackers to disable the retry and circuit-breaker mechanisms that applications depend on for resilience. By sending many crafted requests designed to fail, an attacker can fill the application's retry cache until it stops accepting new entries. Once saturated, the cache becomes permanently unable to process any further retries or circuit-breaker decisions, effectively breaking the fault-tolerance layer of affected applications.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-770
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-23

NVD description (verbatim)

An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to fail. Affected versions: Spring Retry 2.0.0 through 2.0.12; 1.3.0 through 1.3.4.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from an unguarded resource exhaustion condition in the stateful retry cache mechanism. An attacker can craft requests that reliably trigger failures, causing unique entries to accumulate in the application-wide retry cache. The cache lacks sufficient capacity limits or eviction policies, permitting an adversary to exhaust available memory or slots. Once the cache reaches capacity, it enters a rejection state where new updates are permanently denied. This cascading failure prevents both stateful retry logic and circuit breaker functionality from operating, violating the availability assumptions of resilience patterns that applications have deployed. The issue affects Spring Retry versions 2.0.0 through 2.0.12 and 1.3.0 through 1.3.4.

Business impact

Organizations running Spring Retry are exposed to application-level denial of service. When an attacker saturates the retry cache, dependent services lose their ability to recover from transient failures or degrade gracefully. This impacts SLA compliance, increases mean time to recovery (MTTR), and can cascade through microservice architectures. Services that rely on circuit breakers to prevent cascading failures become unable to activate those protections, potentially amplifying outage scope. The effect is particularly acute in cloud-native or event-driven systems where retry semantics are foundational to operational stability.

Affected systems

Spring Retry 2.0.0 through 2.0.12 and 1.3.0 through 1.3.4 are vulnerable. Any Java application that directly imports Spring Retry and relies on its stateful retry or circuit-breaker capabilities is at risk. This includes Spring Cloud applications, microservices using Spring Boot with fault tolerance patterns, and custom applications that explicitly depend on Spring Retry for transient failure handling. Verify your dependency tree and Spring Retry version via Maven or Gradle configuration files.

Exploitability

Exploitation requires network access to trigger requests that cause application failures—an adversary must induce errors that accumulate distinct cache entries. The attack does not require authentication or special privileges, and the CVSS vector reflects the relatively high bar for triggering the condition (AC:H). However, once the cache is exhausted, the effect is deterministic and irreversible without intervention. The attack is not in the CISA Known Exploited Vulnerabilities (KEV) catalog at this time, though this absence should not be conflated with low practical risk in critical deployments.

Remediation

Upgrade Spring Retry to a patched version released after the vulnerability disclosure. Verify the exact patch version against the vendor advisory, as version numbers may differ between the 1.x and 2.x release lines. As an interim mitigating control, implement external rate limiting or request validation that rejects obviously malicious or repetitive failure-triggering patterns before they reach the application's retry logic. Monitor cache saturation metrics if instrumentation is available. Confirm remediation by testing that retry and circuit-breaker functionality remain operational under load.

Patch guidance

Consult the official Spring Retry release notes and security advisories published after June 9, 2026 to identify the appropriate patched version for your release line. Apply patches during a maintenance window, prioritizing production environments. Conduct smoke testing to verify that retry and circuit-breaker behaviors are restored and that no configuration changes are required. If you are on Spring Retry 1.3.x, confirm whether your organization plans to migrate to 2.x or stay on the legacy line, as patch availability may differ.

Detection guidance

Monitor application logs and metrics for signs of retry cache saturation: repeated cache-full errors, increasing counts of rejected retry operations, or circuit breakers that fail to activate. Inspect the number of unique failure signatures reaching your retry logic in short time windows; a spike may indicate an attack. Correlation with inbound request patterns—particularly multiple failure-inducing requests from the same source or coordinated sources—strengthens suspicion. Consider deploying APM or observability tools that can track cache occupancy and rejection rates in near-real time.

Why prioritize this

This vulnerability merits prompt but measured attention. Its MEDIUM CVSS score (5.9) reflects the requirement for an attacker to craft specific failure conditions, yet the impact on availability is severe once triggered. The attack surface is network-accessible and requires no authentication. In environments where Spring Retry is a critical component of production resilience—particularly in microservice architectures or systems with strict availability requirements—timely patching is essential. Organizations with legacy versions (1.3.x) should assess whether staying on that line or upgrading to 2.x is more practical.

Risk score, explained

The CVSS v3.1 score of 5.9 (MEDIUM severity) accounts for network-accessible attack vector (AV:N) with no authentication required (PR:N), but a relatively higher complexity barrier (AC:H) to successfully induce the failure condition. Impact is confined to availability (A:H); confidentiality and integrity are unaffected (C:N, I:N). The score appropriately reflects that while the attack is feasible, it requires deliberate crafting and does not grant direct code execution or data exposure. However, the cascading availability impact on fault-tolerant systems may warrant treating this as higher priority in your own risk model.

Frequently asked questions

If my application is using Spring Retry, does that mean I'm definitely affected?

Only if your version matches the vulnerable ranges (2.0.0–2.0.12 or 1.3.0–1.3.4). Check your pom.xml or build.gradle file. Even then, impact depends on whether your application actively relies on stateful retry or circuit-breaker features; purely stateless retry usage is less likely to be impaired.

What's the difference between the 1.3.x and 2.x branches, and which should I upgrade to?

Spring Retry 1.3.x is the legacy maintenance line; 2.x is the current active development line. If you are on 1.3.x, consult your organization's Spring versioning strategy. Patch availability and release timelines may differ between branches. Consider whether the effort to upgrade to 2.x is justified by your long-term roadmap.

Can I work around this without immediately upgrading?

Temporary mitigations include implementing external request filtering or rate limiting to block patterns that trigger repeated failures, and monitoring cache metrics to alert on saturation. However, these do not eliminate the underlying vulnerability—patching is the proper fix.

Will this vulnerability affect Spring Boot if I'm using Spring Retry as a dependency?

Spring Boot applications that include Spring Retry as a dependency are affected if they use the vulnerable versions. Spring Boot itself is not directly vulnerable; the vulnerability is in the Spring Retry library. Verify your Spring Boot Bill of Materials (BOM) and transitive dependency versions.

This analysis is provided for informational purposes and does not constitute professional security advice. Patch version numbers, release dates, and remediation steps must be verified against official vendor advisories and security bulletins. Organizations should conduct their own risk assessment based on their deployment architecture, threat model, and business criticality. No exploit code or detailed attack reproduction steps are provided herein. Always test patches in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).