MEDIUM 5.9

CVE-2026-41721: Spring Data Commons Memory Exhaustion DoS Vulnerability

Spring Data Commons, a widely-used data access abstraction framework, contains a vulnerability that enables remote denial-of-service attacks. When Spring Data Web Support is enabled and a controller uses the @ProjectedPayload annotation, attackers can craft specific HTTP requests that force the application to consume excessive memory, degrading or halting service availability. The vulnerability requires specific configuration conditions to be present, limiting its immediate exposure but posing real risk to affected deployments.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-17

NVD description (verbatim)

Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially crafted HTTP request that causes the application to allocate lots of memory. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in Spring Data Commons' handling of projected payloads when Web Support is active. The @ProjectedPayload annotation is designed to map incoming request data to projection interfaces; however, the framework fails to properly constrain memory allocation during this mapping process. A specially crafted request can trigger uncontrolled memory consumption, leading to heap exhaustion and eventual JVM termination. This is classified as an Uncontrolled Resource Consumption issue (CWE-400). The attack vector is network-based, requires no authentication, but has high attack complexity due to configuration prerequisites. The CVSS 3.1 score of 5.9 reflects the availability impact with no confidentiality or integrity compromise.

Business impact

Impacted applications experience service disruption without data breach risk. For production environments relying on Spring Data Commons with Web Support and projection mapping, a successful attack results in downtime that affects customer-facing services, revenue-generating operations, and user experience. Organizations in real-time transaction processing, streaming, or high-availability use cases face compounded harm. The vulnerability does not enable data exfiltration, unauthorized access, or system compromise, limiting incident scope to availability restoration and investigation overhead.

Affected systems

Spring Data Commons versions across multiple release lines are vulnerable: the 4.x line (4.0.0–4.0.5), 3.x line (3.5.0–3.5.11, 3.4.0–3.4.14, 3.3.0–3.3.16, 3.2.0–3.2.15, 3.1.0–3.1.14, 3.0.0–3.0.15), and 2.7.x line (2.7.0–2.7.19). Spring Data Commons is a foundational component used by many Spring Data projects (JPA, MongoDB, REST, etc.) and appears in countless enterprise Java applications. However, exploitation requires both Web Support to be active and at least one controller method annotated with @ProjectedPayload, which narrows real-world exposure. Organizations should inventory applications using Spring Data Commons and confirm the presence of both conditions before escalating priority.

Exploitability

The vulnerability has a high attack complexity rating, meaning exploitation is not straightforward. An attacker must understand the target application's use of @ProjectedPayload, craft a request body that triggers pathological memory allocation behavior, and time or repeat the request to exhaust heap resources. No authentication is required, and the attack is entirely remote. The absence of CISA KEV listing and lack of public weaponized exploits suggest the vulnerability has not yet become a widespread attack vector, though the technical barrier to exploitation is not prohibitively high for determined threat actors. Organizations should assume exploitation is possible but not imminent across all environments.

Remediation

Upgrade Spring Data Commons to patched versions. Verify the vendor advisory from Broadcom/VMware for exact patched release numbers across all affected lines (2.7.x, 3.0.x through 3.5.x, and 4.0.x). As an interim control, disable Spring Data Web Support if projection mapping is not essential, or restrict @ProjectedPayload usage to trusted input sources only. Code review of controller methods using @ProjectedPayload and monitoring for unexpected memory spikes can provide additional defensive layers while patches are staged.

Patch guidance

1. Identify all internal applications and dependencies using Spring Data Commons. 2. Cross-reference against the affected version ranges provided in the CVE. 3. Consult the Broadcom Spring Data Commons security advisory for patched versions corresponding to each release line. 4. Prioritize patching of production systems first, particularly those exposed to untrusted input. 5. Test patched versions in a staging environment before production rollout, as memory allocation and data binding changes may affect performance baselines. 6. Verify that patches are applied across all transitive dependencies that pull in Spring Data Commons.

Detection guidance

Monitor application logs and JVM metrics for sudden memory pressure spikes, out-of-memory errors, or garbage collection pauses correlated with HTTP requests containing large or malformed request bodies directed at endpoints using @ProjectedPayload. Inspect network traffic for repeated requests with suspicious or oversized payloads to projection-mapped endpoints. Implement heap memory thresholds and alerting in your JVM monitoring stack. Review application startup logs to confirm whether Spring Data Web Support is enabled; if it is not, this vulnerability cannot be exploited. Security event correlation systems should flag repeated HTTP 500 or 503 responses from specific application endpoints as a potential indicator of attack activity.

Why prioritize this

Medium severity with availability impact in a widely-deployed framework justifies prompt attention but not emergency response. The requirement for specific configuration (Web Support + @ProjectedPayload) limits blast radius. The lack of KEV listing and public exploits suggests the vulnerability has not become an active threat in the wild. However, organizations operating multi-tenant platforms or high-volume transaction systems should prioritize patching sooner to reduce DoS risk. Patch this vulnerability within your standard 30-60 day update cycle, or accelerate if you have confirmed exposure and external-facing services using the affected configuration.

Risk score, explained

CVSS 5.9 (Medium) reflects the denial-of-service impact (availability) with no confidentiality or integrity risk. The high attack complexity (AC:H) due to configuration prerequisites and the requirement for attacker knowledge of the application's use of @ProjectedPayload prevent a higher score. The network attack vector and lack of authentication lower the barrier to attempt, but the combination of factors yields a moderate risk assessment. Context-specific factors—such as reliance on continuous availability, exposure of projection endpoints to untrusted networks, or critical business processes—may elevate effective risk within your organization.

Frequently asked questions

Do we need to patch if we don't use @ProjectedPayload in our Spring Data applications?

Likely no. The vulnerability requires both Spring Data Web Support to be enabled and at least one controller method annotated with @ProjectedPayload to be exploitable. If neither condition is present, this CVE does not threaten your deployment. However, we recommend confirming your codebase is free of @ProjectedPayload usage before deferring the patch.

What's the difference between this and a typical memory leak?

This is not a memory leak in the traditional sense. Rather, it's a resource exhaustion vulnerability where a single crafted request can cause the framework to allocate large amounts of memory in a short time, exhausting the heap. The memory may be freed after the request completes, but the spike is severe enough to cause application failure or performance degradation.

Will disabling Spring Data Web Support completely break my application?

Only if your application relies on Spring Data Web Support for automatic request-to-data binding. Many applications use Spring Data for persistence only and do not enable Web Support. Review your application configuration (typically in Spring Boot autoconfiguration or XML) to confirm whether you depend on this feature. If you do, patching is preferable to disabling the feature; if you don't, disabling it is a valid interim control.

Is there a way to test if our application is vulnerable before patching?

Testing should only be performed in a non-production environment. You would need to identify a controller endpoint using @ProjectedPayload and attempt to send a large or malformed request payload to it while monitoring heap memory usage. However, this is labor-intensive and risky. We recommend relying on version checking (comparing your Spring Data Commons version against the affected ranges) and proceeding directly to patching.

This analysis is provided for informational purposes. Patch version numbers and detailed remediation steps must be verified against the official Broadcom/VMware Spring Data Commons security advisory. Organizations should conduct their own risk assessment based on their specific use of Spring Data Commons and their network architecture. This vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date, but this does not guarantee absence of attack activity. No exploit code is provided herein. Consult your security team and vendor documentation before making patching decisions. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).