HIGH 7.5

CVE-2026-41842: Spring Framework DoS Vulnerability in Static Resource Resolution

Spring Framework versions 5.3 through 7.0 contain a denial-of-service vulnerability in their static resource resolution code. An unauthenticated attacker can craft requests that cause Spring MVC and WebFlux applications to consume excessive resources, potentially rendering the application unavailable. No user interaction is required, and the attack works over the network. The vulnerability affects a wide range of Spring versions released over several years, making it relevant to many production deployments.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-27

NVD description (verbatim)

Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-41842 is a CWE-400 (Uncontrolled Resource Consumption) vulnerability in Spring Framework's static resource handling mechanism. When processing requests to resolve static resources, affected versions fail to properly limit resource consumption, allowing attackers to trigger uncontrolled CPU, memory, or connection usage. The vulnerability impacts both Spring MVC and the reactive WebFlux framework, affecting versions 5.3.0–5.3.48, 6.1.0–6.1.27, 6.2.0–6.2.18, and 7.0.0–7.0.7. Exploitation requires network access but no authentication or special privileges.

Business impact

Organizations running affected Spring applications face availability risk. A successful DoS attack could disrupt web services, APIs, and user-facing applications during critical business operations. The broad version range means legacy and recently patched systems alike may be vulnerable. Remediation requires coordinated patching across development and production environments, which may be resource-intensive for large deployments. The ease of exploitation (no authentication, low complexity) means this threat has high urgency relative to its technical severity score.

Affected systems

Any Spring Framework deployment running versions 5.3.0 through 7.0.7 is potentially affected. This includes applications built with Spring MVC (traditional servlet-based) and Spring WebFlux (reactive) frameworks. Version 5.3 reached mainstream support end-of-life in 2023 but may still run in production environments. Version 6.1 and 6.2 are actively maintained. Version 7.0 is the latest release line. Organizations should inventory Spring Framework versions in their application portfolio, including transitive dependencies brought in by other frameworks or libraries.

Exploitability

This vulnerability has a CVSS 3.1 score of 7.5 (HIGH), reflecting network accessibility, no authentication requirement, low attack complexity, and direct availability impact. The attack does not require user interaction. While not yet listed on CISA's Known Exploited Vulnerabilities catalog, the straightforward nature of triggering resource exhaustion via HTTP requests means exploitability is likely immediate once public details emerge. Attackers can identify vulnerable versions through application fingerprinting. No special tools or insider knowledge are needed.

Remediation

Upgrade Spring Framework to patched versions beyond those listed as vulnerable. Consult the VMware Spring Security Advisory for specific patch versions for each minor release line. Organizations should prioritize patching based on criticality of the affected application and whether it is internet-facing. Additionally, implement network-level rate limiting or Web Application Firewall (WAF) rules to restrict the rate of requests to static resource endpoints, which may provide temporary mitigation while patching is underway. Monitor application resource usage for signs of active exploitation.

Patch guidance

Verify the latest patched Spring Framework versions through the official VMware Spring Framework advisory page. Update your dependency management (Maven pom.xml, Gradle build.gradle, or equivalent) to reference the first patched version for your current minor release. Test patches thoroughly in a staging environment to ensure compatibility with application-specific extensions or customizations. For applications using Spring Boot, update the spring-boot-starter-parent or individual spring-framework dependencies and rebuild. Consider using automated dependency scanning tools to identify and flag vulnerable versions in your codebase.

Detection guidance

Monitor application logs for repeated requests to static resource endpoints, especially those with unusual or malformed path parameters. Look for sudden spikes in CPU, memory, or connection pool exhaustion correlating with HTTP traffic patterns. Network intrusion detection systems (IDS) may flag high-frequency requests to the same resource path. Spring Framework debug logs can reveal resource resolution attempts. Proactive scanning using software composition analysis (SCA) tools will identify vulnerable Spring Framework versions in your codebase and supply chain. Implement application performance monitoring (APM) to establish baselines and alert on anomalous resource consumption.

Why prioritize this

Although the CVSS score is HIGH (7.5), the practical risk is elevated by the large installed base across multiple version lines, the trivial nature of exploitation (unauthenticated network attack), and the direct business impact (availability). The absence from KEV at the time of writing does not reflect low exploit likelihood; it reflects the recency of the disclosure. Internet-facing applications should be patched urgently. Internal-only systems may be deprioritized relative to external-facing services, but should not be neglected.

Risk score, explained

The CVSS 3.1 score of 7.5 is driven by: (1) Network accessibility (AV:N) – the attack is remotely exploitable; (2) Low attack complexity (AC:L) – no special preconditions or tools required; (3) No privileges required (PR:N) – unauthenticated attackers can exploit; (4) No user interaction (UI:N) – the attack succeeds without social engineering; (5) High availability impact (A:H) – successful exploitation degrades or disables the service. The absence of confidentiality or integrity impact reflects that this is purely a DoS vulnerability. The score appropriately reflects a critical business risk even if data confidentiality is not compromised.

Frequently asked questions

Does this affect Spring Boot applications?

Yes, if your Spring Boot application uses Spring Framework in the vulnerable version ranges (5.3.0–5.3.48, 6.1.0–6.1.27, 6.2.0–6.2.18, 7.0.0–7.0.7) and serves static resources. Spring Boot embeds Spring Framework, so updating Spring Framework via dependency management is necessary.

Is there a workaround if we cannot patch immediately?

Temporarily mitigate by disabling static resource serving if feasible, serving static resources from a CDN or reverse proxy (nginx, Apache) instead of the Spring application, or implementing rate limiting on resource endpoints. These do not address the root cause and should be replaced with patches as soon as possible.

How can we verify that our application is vulnerable?

Use software composition analysis (SCA) tools such as Snyk, OWASP Dependency-Check, or Maven/Gradle plugins to scan your pom.xml or build.gradle and identify the Spring Framework version. Cross-reference against the affected ranges (5.3.0–5.3.48, 6.1.0–6.1.27, 6.2.0–6.2.18, 7.0.0–7.0.7). For manually-managed dependencies, check your build output and classpath inspection tools.

Why are older versions like 5.3 still a concern if they are out of support?

Many organizations continue running supported but older versions of Spring Framework in stable, low-change production systems. While 5.3 reached end-of-life in 2023, it remains in use. The vulnerability affects all supported and unsupported versions in the listed ranges, so even out-of-support applications remain exposed unless patched.

This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. The vulnerability details, affected versions, and CVSS score are derived from the CVE record published on 2026-06-09. Patch versions and specific remediation steps should be verified against the official VMware Spring Framework Security Advisory before implementation. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own testing and validation in accordance with their change management policies. SEC.co makes no warranty regarding the completeness or accuracy of this analysis, and users assume all responsibility for decisions made based on this information. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).