HIGH 7.5

CVE-2026-41716: Spring Data Commons Heap Exhaustion Denial-of-Service

Spring Data Commons contains a vulnerability in how it caches internal property lookups. An attacker can exploit this by sending specially crafted requests that cause the cache to store attacker-controlled strings as permanent cache keys. Because these keys are never cleaned up, repeated requests will gradually consume all available heap memory, eventually crashing the application. This is a denial-of-service attack that requires no authentication and can be triggered from the network.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-770
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-17

NVD description (verbatim)

Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-41716 is a denial-of-service vulnerability affecting Spring Data Commons' internal property-lookup caching mechanism. The vulnerability stems from the cache accepting attacker-supplied strings as keys without sanitization or eviction logic. An unauthenticated remote attacker can repeatedly send requests with varying malicious payloads, causing the cache to grow unbounded and exhaust heap memory. The vulnerability maps to CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS 3.1 score of 7.5 (HIGH), reflecting network-based exploitability with low attack complexity and high impact to availability.

Business impact

Applications using vulnerable Spring Data Commons versions will be susceptible to remote denial-of-service attacks. An attacker can render affected services unavailable without credentials or complex prerequisites, disrupting business operations and user access. This is particularly impactful for SaaS platforms, REST APIs, and microservices architectures that expose Spring Data-backed endpoints. Recovery requires application restart, with no way to prevent further attacks until patching is completed. Multi-tenant environments are at elevated risk if any tenant-controlled input reaches the property-lookup cache.

Affected systems

Spring Data Commons versions 2.7.0–2.7.19, 3.3.0–3.3.16, 3.4.0–3.4.14, 3.5.0–3.5.11, and 4.0.0–4.0.5 are vulnerable. Any Java application directly depending on these versions of Spring Data Commons is at risk. This includes applications using Spring Data JPA, Spring Data MongoDB, Spring Data Redis, and other Spring Data modules that inherit the vulnerable base library. Check your dependency tree for transitive inclusions of vulnerable versions.

Exploitability

This vulnerability is trivially exploitable. No authentication is required, and the attack vector is network-based with low complexity—an attacker needs only to craft HTTP requests (or equivalent) that trigger property lookups with attacker-controlled keys. Exploitation does not require user interaction or special system configuration. The impact is immediate: resource exhaustion will degrade performance and eventually crash the service. No KEV data is currently available for this CVE, but the straightforward nature of the attack and high availability impact make it an attractive target.

Remediation

Upgrade Spring Data Commons to patched versions as soon as feasible. Verify the specific patched version from the vendor advisory, as multiple release lines require targeted updates. Additionally, implement network-level rate limiting or request filtering in front of exposed endpoints to reduce the surface area for resource exhaustion attacks. Monitor heap memory usage and implement alerting for abnormal growth patterns. Review application logs for unusual patterns of property-lookup requests that might indicate active exploitation attempts.

Patch guidance

Contact your Spring Data Commons vendor (Broadcom) and consult their official security advisory for the specific patched version applicable to your release line. Generally, patch versions will be released for each affected line (2.7.x, 3.3.x, 3.4.x, 3.5.x, and 4.0.x). Plan updates carefully if you are on an older maintenance line, as vendor support timelines may influence your patching window. Verify compatibility with your application and run regression tests before deploying to production. Consider staging the upgrade in a non-production environment first to confirm no application-specific issues arise.

Detection guidance

Monitor Java application heap memory consumption for sudden or sustained increases that correlate with incoming request volume. Log property-lookup operations if available through Spring Data debugging, and look for requests with unusual or repetitive property names that don't match your application's legitimate data model. Check application metrics for a spike in cache size or entries. Network intrusion detection can flag repeated requests with varying payloads to the same endpoint if baseline behavior is established. Heap dumps from crashed or memory-constrained instances should be analyzed for cache map size anomalies.

Why prioritize this

This vulnerability warrants high prioritization due to its simplicity of exploitation, lack of authentication requirements, and direct impact to service availability. With a CVSS score of 7.5 and network-accessible attack surface, any public-facing or internal-network-exposed Spring Data application is at significant risk. The combination of ease of exploitation and business impact makes this suitable for immediate remediation in most environments. Organizations should prioritize patching of internet-facing services and APIs first, followed by internal systems.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects the network-based attack vector, low attack complexity, and high impact to availability. The absence of authentication requirements and user interaction further elevates risk. The vulnerability does not expose confidential data or allow privilege escalation, keeping the score below CRITICAL. However, the guaranteed denial of service and ease of triggering place this firmly in the HIGH severity category, justifying immediate remediation efforts.

Frequently asked questions

Can this vulnerability be exploited through firewalls or load balancers?

Yes. Since the attack vector is network-based and requires no authentication or special headers, standard firewalls and load balancers do not prevent exploitation. However, rate limiting and request throttling at the load balancer or API gateway can significantly reduce the attack's effectiveness by limiting the rate at which an attacker can exhaust the cache.

Does patching Spring Data Commons require application code changes?

No. Patching is a dependency upgrade; your application code does not need to change. However, ensure your project's dependency management (Maven, Gradle, etc.) is updated to pull the patched version, and perform standard regression testing before deploying to production.

What if my application uses Spring Data indirectly through another framework?

Check your dependency tree using tools like Maven Dependency Tree or Gradle Dependencies Report to identify if Spring Data Commons is a transitive dependency. If present, you must upgrade the parent dependency or explicitly override the Spring Data Commons version to a patched release. Consult your framework's documentation for version compatibility guidance.

Is there a workaround if I cannot patch immediately?

Implement network-level mitigations such as rate limiting, request throttling, and IP-based access controls to reduce exposure. Monitor heap memory and configure alerts for abnormal growth. However, these are temporary measures; patching is the only definitive fix. Prioritize patching as soon as your change management process allows.

This analysis is provided for informational purposes and based on publicly available vulnerability data as of the publication date. Specific patch versions, compatibility notes, and vendor timelines should be verified against Broadcom's official security advisory before implementing remediation. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance. Organizations should conduct their own risk assessments and testing in accordance with their change management policies. Exploit code and weaponized proof-of-concept details are not provided to minimize harm during the disclosure period. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).