CVE-2026-41848: Spring Framework AntPathMatcher ReDoS Vulnerability
Spring Framework's AntPathMatcher component is susceptible to a Regular Expression Denial of Service (ReDoS) attack. If an attacker can control or influence URL path patterns processed by the matcher, they can craft a malicious pattern that causes excessive CPU consumption, potentially degrading application performance or availability. This vulnerability affects multiple actively supported versions of Spring Framework spanning several release lines.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.7 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-1333
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-27
NVD description (verbatim)
Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path). Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in Spring Framework's AntPathMatcher class, specifically in three methods: match(), matchStart(), and extractUriTemplateVariables(). These methods process user-supplied or attacker-controlled patterns without adequate safeguards against algorithmic complexity attacks. The underlying regular expression engine can enter pathological backtracking behavior when presented with specially crafted input, consuming CPU resources in a way that grows exponentially with input length. The issue is classified as CWE-1333 (Inefficient Regular Expression Complexity).
Business impact
Affected Spring Framework deployments face potential availability degradation if attackers exploit this ReDoS vector. Applications that expose user-controlled path patterns—such as those accepting dynamic URL templates via APIs or configuration—are at higher risk. While the CVSS score of 3.7 reflects a low severity rating, successful exploitation could trigger resource exhaustion on a per-request basis, making the vulnerability operationally relevant in high-traffic environments or scenarios where request volume can be amplified.
Affected systems
VMware Spring Framework versions 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48 are affected. Organizations should prioritize inventory of Spring Framework usage across their application portfolio. Notably, version 5.3.x, while no longer in mainstream support, remains in extended support; organizations using older branches should confirm their support status with VMware.
Exploitability
Exploitation requires an attacker to supply a crafted pattern to one of the vulnerable methods. The access vector is network-based with no authentication required, but the attack complexity is rated as high, meaning the attacker must understand the specific regex engine behavior and potentially the application's pattern-matching logic. This is not a trivial or widely automated attack; it requires targeted knowledge and is unlikely to appear in commodity exploit kits. No public exploit code or KEV designation indicates active, widespread exploitation as of the publication date.
Remediation
Upgrade to patched versions from VMware's security advisories. The recommended approach is to move to the latest supported version in each release line (verify exact patch versions in the official VMware Spring Framework security bulletins). Organizations unable to upgrade immediately should implement input validation and sanitization on any externally sourced path patterns, restricting pattern complexity and length where feasible.
Patch guidance
Consult VMware's official Spring Framework security advisory for precise patch version numbers and upgrade paths. Generally, upgrading to the latest stable release in your currently supported version line (7.0.8+, 6.2.19+, 6.1.28+, or 5.3.49+, pending verification) is the standard remediation. If you are on an older or unsupported branch, prioritize a version upgrade strategy. Test patches in a non-production environment first, particularly if the application relies heavily on AntPathMatcher for routing or template variable extraction.
Detection guidance
Monitor application logs for unusual patterns in request URIs, particularly those containing repetitive structures or excessive special characters that might trigger backtracking. CPU and memory profiling during normal operations provides a baseline; spikes coinciding with specific request patterns may indicate an attack. Intrusion detection systems capable of detecting regex-based DoS signatures can be tuned to flag suspicious path patterns. Additionally, rate-limit or throttle requests with excessively complex or long path segments.
Why prioritize this
Despite the low CVSS score, this vulnerability merits timely attention because it affects multiple widely-used versions of Spring Framework and can be triggered without authentication or user interaction. However, the high attack complexity and lack of active exploitation reduce urgency compared to critical or high-severity flaws. Prioritize remediation for internet-facing Spring applications that accept dynamic URL patterns; internal or tightly controlled deployments can follow a standard patch cadence.
Risk score, explained
The CVSS v3.1 score of 3.7 (LOW) reflects the absence of confidentiality or integrity impact and the requirement for attacker expertise to craft a successful payload. The network-based attack vector and lack of privilege requirements are partially offset by high attack complexity. The availability impact is limited in scope—denial affects performance rather than complete service outage—further justifying the low rating. Organizations should not dismiss the vulnerability but should allocate resources proportionally.
Frequently asked questions
Can this vulnerability be exploited remotely without authentication?
Yes. An attacker on the network can send crafted HTTP requests with malicious path patterns to a vulnerable Spring application. No credentials or pre-existing access are required. However, the attacker must understand regex engine behavior and the application's specific use of AntPathMatcher, making opportunistic exploitation unlikely.
What applications are most at risk?
Spring Boot web applications that process user-supplied or externally sourced URL patterns are most at risk. This includes applications that accept dynamic route definitions, API gateways, or services that use AntPathMatcher for access control rule evaluation. Internal microservices with restricted network access face lower risk.
Is there a workaround if I cannot patch immediately?
Implement strict input validation on any user-supplied or external path patterns. Limit pattern length, restrict special character usage, and sanitize inputs before passing them to AntPathMatcher methods. Additionally, implement rate limiting on requests with complex patterns. These measures reduce risk but do not fully eliminate it; patching remains the definitive solution.
Does this affect Spring Boot projects?
Yes, if your Spring Boot application depends on Spring Framework 5.3.x, 6.1.x, 6.2.x, or 7.0.x within the affected ranges. Check your pom.xml or gradle.build for the spring-framework version and cross-reference against the affected version ranges. Spring Boot's release notes indicate which Spring Framework version is bundled by default.
This analysis is provided for informational purposes and should not be considered a substitute for official VMware Spring Framework security advisories or your organization's security policy. Patch version numbers and specific remediation steps should be verified against VMware's official guidance. SEC.co makes no warranty regarding the completeness or accuracy of vulnerability data and assumes no liability for reliance on this content. Always test patches in non-production environments before production deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11478LOWInefficient Regex Complexity in kokke tiny-regex-c
- CVE-2026-10291MEDIUMReDoS in Enderfga claw-orchestrator validateRegex—Security Update
- CVE-2026-10691MEDIUMReDoS Vulnerability in DesktopCommanderMCP Search Manager
- CVE-2026-10692MEDIUMReDoS Vulnerability in code-index-mcp Up to 2.14.0 – Patch Available
- CVE-2026-42567HIGHSvelte ReDoS Vulnerability in Dynamic Element Tags
- CVE-2026-44796MEDIUMNautobot Denial of Service via ReDoS in Bulk-Rename Endpoints
- CVE-2026-45409MEDIUMDenial-of-Service in Python IDNA Library via Resource Exhaustion
- CVE-2026-8888HIGHSecurly Chrome Extension HTTP Regex DoS Vulnerability