CVE-2026-22745

CVE-2026-22745 : Denial of service in static resource handling on Windows platforms

Assigner: vmware
Reserved: 09.01.2026 Published: 29.04.2026 Updated: 29.04.2026

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.

More precisely, an application can be vulnerable when all the following are true:

the application is using Spring MVC or Spring WebFlux
the application is serving static resources from the file system
the application is running on a Windows platform

When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	VMware
Product	Spring Framework
Versions	Default: affected affected from 7.0.0 to 7.0.7 (excl.) affected from 6.2.0 to 6.2.18 (excl.) affected from 6.1.0 to 6.1.27 (excl.) affected from 5.3.0 to 5.3.48 (excl.)

Vendor

VMware

Product

Spring Framework

Versions

Default: affected

affected from 7.0.0 to 7.0.7 (excl.)
affected from 6.2.0 to 6.2.18 (excl.)
affected from 6.1.0 to 6.1.27 (excl.)
affected from 5.3.0 to 5.3.48 (excl.)

Credits

Bocheng Xiang ( @crispr ) from Fudan University. finder

References

Problem Types