CVE-2026-22745 : Denial of service in static resource handling on...

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.

More precisely, an application can be vulnerable when all the following are true:

* the application is using Spring MVC or Spring WebFlux
* the application is serving static resources from the file system
* the application is running on a Windows platform

When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

Basic Information

ID CVE-2026-22745

Source vmware

Published Apr 29, 2026 at 11:35

Modified Apr 29, 2026 at 13:23

Affected Product

Vendor VMware

Product Spring Framework

Version 7.0.0

Affected Versions VMware Spring Framework 7.0.0
VMware Spring Framework 6.2.0
VMware Spring Framework 6.1.0
VMware Spring Framework 5.3.0

CWE Classification

CWE-400

References

{
    "lastseen": "",
    "description": "Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.\n\n\nMore precisely, an application can be vulnerable when all the following are true:\n\n  *  the application is using Spring MVC or Spring WebFlux\n  *  the application is serving static resources from the file system\n  *  the application is running on a Windows platform\n\n\nWhen all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.",
    "published": "2026-04-29T11:35:21.947Z",
    "modified": "2026-04-29T13:23:54.622Z",
    "type": "cve",
    "title": "CVE-2026-22745 : Denial of service in static resource handling on Windows platforms",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-22745\nhttps://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1",
    "id": "CVE-2026-22745",
    "bulletinFamily": "",
    "cwe": [
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "VMware Spring Framework 7.0.0\nVMware Spring Framework 6.2.0\nVMware Spring Framework 6.1.0\nVMware Spring Framework 5.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Framework",
    "version": "7.0.0",
    "vendor": "VMware",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

CVE-2026-22745 : Denial of service in static resource handling on Windows platforms_CVE-2026-22745