MEDIUM 5.9

CVE-2026-41711: Spring Data Commons Stack Overflow DoS Vulnerability – Analysis & Patch Guidance

Spring Data Commons, a widely-used data access library in the Spring ecosystem, contains a flaw in how it processes Sort parameters. An attacker can craft malicious Sort requests that cause applications to exhaust stack memory, crashing the service. This is a network-accessible denial-of-service vulnerability that requires no authentication or user interaction—any exposed endpoint accepting Sort parameters becomes an attack surface.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-17

NVD description (verbatim)

Applications using Spring Data Commons may be vulnerable to a Denial of Service (DoS) attack leading to a StackOverflowException when parsing Sort parameters. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper recursive handling of Sort parameter parsing in Spring Data Commons. When a specially crafted Sort parameter is submitted—typically via HTTP request parameters or API calls—the parsing logic enters deep recursion without adequate termination conditions, triggering a StackOverflowException. The flaw affects a wide range of Spring Data Commons versions from 2.7.0 through 4.0.5 across multiple major version lines. The CVSS 3.1 score of 5.9 (MEDIUM) reflects high availability impact but no confidentiality or integrity compromise; the AC:H (Attack Complexity High) vector suggests the malicious payload requires specific crafting but remains network-exploitable without privilege elevation.

Business impact

Service availability is the primary risk. Applications relying on Spring Data Commons for REST APIs, GraphQL resolvers, or data query interfaces face potential crashes when processing untrusted Sort input. This can cascade into cascading failures in microservice architectures or cloud-native deployments where a single compromised endpoint brings down shared services. Recovery requires process restart, and the vulnerability can be triggered repeatedly by an unauthenticated attacker, enabling sustained denial of service. Organizations with high-availability requirements or public-facing APIs should treat this as a service continuity concern.

Affected systems

Spring Data Commons versions 2.7.0–2.7.19, 3.0.0–3.0.15, 3.1.0–3.1.14, 3.2.0–3.2.15, 3.3.0–3.3.16, 3.4.0–3.4.14, 3.5.0–3.5.11, and 4.0.0–4.0.5 are vulnerable. Any Java application bundling these versions—including Spring Data JPA, Spring Data MongoDB, Spring Data REST, and custom implementations—inherits the risk. Organizations should audit dependency trees across all Spring-based microservices, including transitive dependencies, to identify exposure.

Exploitability

Exploitation requires network access to an endpoint that accepts Sort parameters but no authentication, credentials, or user interaction. The attack complexity is rated High, meaning the payload must be carefully constructed, but once understood, it is reproducible and automatable. Proof-of-concept exploit code is not widely public at this time, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the attack surface is broad: any REST endpoint, GraphQL interface, or query API accepting sort directives becomes a potential target. Threat actors with basic familiarity with Spring Data parameter syntax can weaponize this.

Remediation

Upgrade to patched versions: verify against vendor advisories for the specific remediation releases in each line (2.7.x, 3.0.x–3.5.x, and 4.0.x). In parallel, apply input validation and rate limiting to Sort parameter endpoints to mitigate attack surface prior to patching. Organizations on end-of-life versions should prioritize upgrade planning. If immediate patching is not feasible, implement Web Application Firewall (WAF) rules to detect and block malformed Sort parameters.

Patch guidance

Consult the Broadcom Spring Security advisory and release notes for specific patched versions in each affected line. Staging and testing is recommended before production deployment, given the breadth of affected versions. Spring Boot applications should verify their dependency management to ensure transitive Spring Data Commons updates are included. Organizations using Spring Boot starters (spring-boot-starter-data-jpa, etc.) should check for corresponding Spring Boot patch releases that update the embedded Spring Data Commons version.

Detection guidance

Monitor application logs and infrastructure metrics for sudden StackOverflowException errors, especially in data-access or query-processing layers. Correlate with HTTP request patterns containing unusual or deeply nested Sort parameters. Web access logs may reveal repeated requests to data endpoints with suspicious sort directives. Network detection can focus on HTTP requests with excessively long or recursively structured sort query parameters. Implement alerting for process crashes or restarts triggered by out-of-memory errors in Java applications.

Why prioritize this

Although rated MEDIUM severity, prioritize this vulnerability for organizations with public-facing or high-traffic APIs. The network-accessible, unauthenticated nature and simplicity of crafting a payload elevate practical risk. It does not compromise data confidentiality or integrity, but targeted DoS can disrupt business operations. Services without load balancing or auto-scaling are at greatest risk. Combine this vulnerability with your organization's availability SLAs and attack surface exposure to determine priority within your patch cycle.

Risk score, explained

The CVSS 5.9 (MEDIUM) score reflects unavailability as the sole impact, offset by the requirement for crafted input (AC:H). The vector AV:N (network-accessible) and PR:N (no privileges required) elevate practical exploitability. Organizations with internet-facing endpoints should consider contextual risk higher; those with internal-only deployments may defer below critical items. The absence of KEV listing suggests limited current active exploitation, but this does not guarantee future weaponization.

Frequently asked questions

Can this vulnerability lead to data loss or exposure?

No. StackOverflowException causes application crashes and denial of service, but does not leak, modify, or delete data. Confidentiality and integrity are not compromised.

Do we need special tools or exploits to test if we're vulnerable?

No special tools are required. A proof-of-concept can be crafted by submitting a carefully nested or deeply recursive Sort parameter to a data endpoint. However, do not attempt this in production. Review your Spring Data Commons version against the affected ranges listed in the CVE.

If we're on Spring Boot, do we need to update Spring Data Commons separately?

Likely not. Spring Boot includes Spring Data Commons as a transitive dependency. Updating to a patched Spring Boot version will pull the fixed Spring Data Commons. Verify the Spring Boot release notes to confirm the included Spring Data Commons version.

What if we don't use Sort parameters in our API?

If your application does not expose endpoints accepting Sort directives, or if Sort functionality is disabled, your exposure is minimal. However, audit your API surface carefully—Sort is often used implicitly in REST query endpoints and may be enabled by default in Spring Data REST.

This analysis is provided for informational and strategic planning purposes. All CVSS scores, affected versions, and vendor product names are based on official CVE and vendor data current as of the last update. Patch version recommendations must be verified against official Broadcom/VMware Spring Security advisories before deployment. This vulnerability has not been designated a Known Exploited Vulnerability (KEV) as of the publication date, but status may change. Implement patches in a controlled staging environment and conduct testing before production deployment. Organizations should perform their own risk assessment based on their specific architecture, exposure, and operational context. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).