Spring Data Commons Denial of Service via Data Binding

5.9 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially crafted HTTP request that causes the application to allocate lots of memory.

Affected versions:
Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.

Basic Information

ID CVE-2026-41721

Source vmware

Published Jun 9, 2026 at 23:48

Affected Product

Vendor Spring

Product Spring Data Commons

Version 4.0.0

Affected Versions Spring Spring Data Commons 4.0.0
Spring Spring Data Commons 3.5.0
Spring Spring Data Commons 3.4.0
Spring Spring Data Commons 3.3.0
Spring Spring Data Commons 3.2.0
Spring Spring Data Commons 3.1.0
Spring Spring Data Commons 3.0.0
Spring Spring Data Commons 2.7.0

CWE Classification

CWE-400

References

spring.io /security/cve-2026-41721

{
    "lastseen": "",
    "description": "Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially crafted HTTP request that causes the application to allocate lots of memory.\n\nAffected versions:\nSpring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.",
    "published": "2026-06-09T23:48:47.132Z",
    "modified": "2026-06-09T23:48:47.132Z",
    "type": "cve",
    "title": "Spring Data Commons Denial of Service via Data Binding",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41721",
    "id": "CVE-2026-41721",
    "bulletinFamily": "",
    "cwe": [
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Data Commons 4.0.0\nSpring Spring Data Commons 3.5.0\nSpring Spring Data Commons 3.4.0\nSpring Spring Data Commons 3.3.0\nSpring Spring Data Commons 3.2.0\nSpring Spring Data Commons 3.1.0\nSpring Spring Data Commons 3.0.0\nSpring Spring Data Commons 2.7.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.9,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Data Commons",
    "version": "4.0.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Spring Data Commons Denial of Service via Data Binding_CVE-2026-41721