CVE 7.5 HIGH

Spring HATEOAS heap exhaustion through unbounded internal caching_CVE-2026-41007

June 9, 2026 invoker category_cve
7.5 / 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings.

Affected versions:
Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

Basic Information

ID CVE-2026-41007
Source vmware
Published Jun 9, 2026 at 04:00

Affected Product

Vendor Spring
Product Spring HATEOAS
Version 1.5.0
Affected Versions Spring Spring HATEOAS 1.5.0
Spring Spring HATEOAS 2.3.0
Spring Spring HATEOAS 2.4.0
Spring Spring HATEOAS 2.5.0
Spring Spring HATEOAS 3.0.0

CWE Classification

CWE-770

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.