CVE-2026-41007 PUBLISHED

Spring HATEOAS heap exhaustion through unbounded internal caching

Assigner: vmware
Reserved: 16.04.2026 Published: 09.06.2026 Updated: 09.06.2026

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings.

Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Vendor Spring
Product Spring HATEOAS
Versions Default: unaffected
  • affected from 1.5.0 to 1.5.7 (excl.)
  • affected from 2.3.0 to 2.3.5 (excl.)
  • affected from 2.4.0 to 2.4.2 (excl.)
  • affected from 2.5.0 to 2.5.3 (excl.)
  • affected from 3.0.0 to 3.0.4 (excl.)

References

Problem Types

  • CWE-770: Allocation of Resources Without Limits or Throttling CWE

Impacts

  • An unauthenticated remote attacker can exhaust heap memory by supplying arbitrary strings that grow the unbounded StringLinkRelation cache, causing denial of service.