View all Vulnerabilities

CVE-2026-22741

No items found.
Affects
Spring Framework
in
Spring
No items found.
Versions
>=4.1.7 <=4.3.30, >=5.0.0 <=5.3.47, >=6.0.0 <=6.0.23, >=6.1.0 <=6.1.26, >=6.2.0 <=6.2.17, >=7.0.0 <=7.0.6
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Framework is the foundational framework of the Spring ecosystem, providing comprehensive support for developing Java enterprise applications. Both of its web stacks, Spring MVC (Servlet) and Spring WebFlux (reactive), include a resource chain that can serve pre-encoded static resources (for example, gzip or brotli variants) based on the client's Accept-Encoding header, with an optional in-memory cache to avoid resolving the encoded variant on every request.

A low-severity vulnerability (CVE-2026-22741) has been identified in Spring Framework. The Accept-Encoding request header is parsed by two different routines in the same pipeline: CachingResourceResolver.getContentCodingKey uses a strict token parser to build the cache key, while EncodedResourceResolver.resolveResourceInternal uses a loose substring match to decide which pre-encoded variant to serve. Because the two routines disagree on how the header is interpreted, an attacker can craft a header that the strict parser canonicalizes to one value while the loose parser selects a different encoding. The result is a cache entry that is keyed as if for a benign client but stores a response encoded under a different scheme. Subsequent legitimate clients whose headers canonicalize to the same key receive bytes with the wrong Content-Encoding and the browser cannot decode them, breaking the frontend.

Per OWASP: "The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others." In this case, an attacker exploits inconsistent parsing of an HTTP header to poison the server-side static resource cache and deny service to legitimate users of the frontend.

The CVSS v3.1 base score for this vulnerability is 3.1 (Low) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L. The attack is network-accessible but has high attack complexity (the cache must be empty and the attacker must win a race against the first legitimate request) and requires user interaction from a subsequent victim, and its impact is confined to a low availability loss with no confidentiality or integrity impact.

The desynchronization was introduced in Spring Framework 4.1.7 (May 2015) when CachingResourceResolver.computeKey began appending a `+encoding=gzip` suffix to the cache key using a case-sensitive encoding.contains("gzip") check, while the existing GzipResourceResolver.isGzipAccepted used a case-insensitive value.toLowerCase().contains("gzip") check. The two parsers disagreed on headers such as Accept-Encoding: GZIP, and the same class of desynchronization was carried forward when Spring 5.1.0 restructured gzip-only handling into the more general EncodedResourceResolver, this time as a tokenization-strictness mismatch between CachingResourceResolver.getContentCodingKey and EncodedResourceResolver.resolveResourceInternal. Both flavors of the bug persist in every subsequent release up to the listed fix versions. This issue affects versions 4.1.7 through 4.3.30, 5.0.0 through 5.3.47, 6.0.0 through 6.0.23, 6.1.0 through 6.1.26, 6.2.0 through 6.2.17, and 7.0.0 through 7.0.6 of Spring Framework.

Details

Module Info

Vulnerability Info

The vulnerability lives in two parallel pairs of classes that mirror each other between the Servlet and reactive stacks: CachingResourceResolver and EncodedResourceResolver in org.springframework.web.servlet.resource (Spring MVC) and in org.springframework.web.reactive.resource (Spring WebFlux). On the pre-5.1 Spring MVC line the same bug exists between CachingResourceResolver and the narrower GzipResourceResolver (the gzip-only predecessor of EncodedResourceResolver); the reactive package did not exist before Spring 5.0, so that flavor is Spring MVC only.

On Spring Framework 5.1 and later, an application becomes vulnerable when all of the following are true:

  • The application is using Spring MVC or Spring WebFlux
  • The application is configuring the resource chain support with caching enabled
  • The application adds support for encoded resources resolution
  • The resource cache must be empty when the attacker has access to the application

On Spring Framework 4.1.7 through 5.0.x, the preconditions are similar but narrower, because only Spring MVC exists and only gzip-encoded resources are supported:

  • The application is using Spring MVC
  • The application is configuring the resource chain support with caching enabled (CachingResourceResolver)
  • The application is serving gzip-encoded resources via GzipResourceResolver
  • The resource cache must be empty when the attacker has access to the application

When those conditions are met, the CachingResourceResolver wraps the EncodedResourceResolver in the resource chain. On each request, the caching resolver first computes a cache key from the request path and the accepted content codings, and on a cache miss it delegates to the encoded resolver to pick and return a pre-encoded resource, which is then stored under that key.

Prior to the fix, the two resolvers parsed Accept-Encoding independently and inconsistently. The caching resolver used a strict, token-oriented parse:

private String getContentCodingKey(HttpServletRequest request) {
    String header = request.getHeader(HttpHeaders.ACCEPT_ENCODING);
    if (!StringUtils.hasText(header)) {
        return null;
    }
    return Arrays.stream(StringUtils.tokenizeToStringArray(header, ","))
            .map(token -> {
                int index = token.indexOf(';');
                return (index >= 0 ? token.substring(0, index) : token).trim().toLowerCase(Locale.ROOT);
            })
            .filter(this.contentCodings::contains)
            .sorted()
            .collect(Collectors.joining(","));
}

The encoded resolver used a loose substring containment check on the entire lowercased header:

String acceptEncoding = getAcceptEncoding(request);
if (acceptEncoding == null) {
    return resource;
}
for (String coding : this.contentCodings) {
    if (acceptEncoding.contains(coding)) {
        // ... serve pre-encoded resource with that coding
    }
}

private String getAcceptEncoding(HttpServletRequest request) {
    String header = request.getHeader(HttpHeaders.ACCEPT_ENCODING);
    return (header != null ? header.toLowerCase(Locale.ROOT) : null);
}

acceptEncoding.contains(coding) does not honor token boundaries, quality values, or ;q=0 explicit rejections. An attacker can craft a header such as gzip;q=0, br that the strict parser (cache-key side) canonicalizes to br while the loose parser (resolver side) still matches the substring gzip and serves the gzip-encoded resource. The resolved resource is then stored in the cache under the strict br-only key. A subsequent legitimate client whose Accept-Encoding header also canonicalizes to br looks up that cache slot and receives gzip-encoded bytes advertised as br, which the browser cannot decode, producing a broken page.

The "resource cache must be empty when the attacker has access" precondition reflects the race: the attacker must win the first uncached lookup for a given key, because once a legitimate response is cached the attacker cannot overwrite it.

The fix unifies the two parsers by introducing a single parseAcceptEncoding static helper on EncodedResourceResolver, which both resolvers now call:

static List<String> parseAcceptEncoding(HttpServletRequest request) {
    String header = request.getHeader("Accept-Encoding");
    if (!StringUtils.hasText(header)) {
        return Collections.emptyList();
    }
    header = header.toLowerCase(Locale.ROOT);
    return Arrays.stream(StringUtils.tokenizeToStringArray(header, ","))
            .map(token -> {
                int index = token.indexOf(';');
                return (index >= 0 ? token.substring(0, index) : token).trim();
            })
            .toList();
}

CachingResourceResolver.getContentCodingKey now builds its key from the token list returned by parseAcceptEncoding, and EncodedResourceResolver.resolveResourceInternal now iterates the same token list and checks full-token membership with contentCodings.contains(acceptedCoding) rather than a substring match. The private getAcceptEncoding helpers are removed. Because both sides now derive their decision from the same parsed tokens, the desynchronization that enabled the poisoning is eliminated. Equivalent changes are applied to the reactive variants that take a ServerWebExchange.

On the pre-5.1 Spring MVC line the bug takes a narrower form: CachingResourceResolver.computeKey performs a case-sensitive encoding.contains("gzip") check, while GzipResourceResolver.isGzipAccepted performs a case-insensitive value.toLowerCase().contains("gzip") check. A header such as Accept-Encoding: GZIP matches on the resolver side but not on the cache-key side, causing gzip-encoded bytes to be stored under a cache key that omits the +encoding=gzip suffix. A subsequent benign request whose cache key resolves to the same slot receives gzipped bytes without the Content-Encoding: gzip response header. The NES patch for these older lines aligns the two parsers by having both sides use the same case-insensitive token-based parse.

Mitigation

Only recent versions of Spring Framework receive community support and updates. Older versions have no publicly available fixes for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Framework.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Framework.

Credits

  • Yuki Matsuhashi (finder)
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
ID
CVE-2026-22741
PROJECT Affected
Spring Framework
Versions Affected
>=4.1.7 <=4.3.30, >=5.0.0 <=5.3.47, >=6.0.0 <=6.0.23, >=6.1.0 <=6.1.26, >=6.2.0 <=6.2.17, >=7.0.0 <=7.0.6
NES Versions Affected
Published date
April 17, 2026
≈ Fix date
April 17, 2026
Fixed in
NES for Spring
Category
No items found.
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.