CVE-2026-40988
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Spring Security is the de facto authentication and access-control framework for Spring-based Java applications. Its spring-security-saml2-service-provider module lets an application act as a SAML 2.0 service provider, handling SAML Login and SAML Logout exchanges with an identity provider. With the SAML REDIRECT binding, the SAML message travels as a query parameter that is DEFLATE-compressed and Base64-encoded, so the service provider must Base64-decode and then inflate every message it receives on those endpoints.
A medium-severity vulnerability (CVE-2026-40988) has been identified in this module. When decoding a REDIRECT-binding message, the service provider inflates the compressed payload into an in-memory buffer with no limit on the inflated size. DEFLATE can expand highly redundant input by up to roughly 1000:1, so a crafted query string (its size bounded only by the server's URL/header limits) forces an allocation far larger than the bytes received, and a rapid series of such requests exhausts the JVM heap and denies service to all users. No credentials or user interaction are required.
Per OWASP, a denial of service attack is "focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others." This issue is the resource-handling variant: the inflate step allocates memory proportional to attacker-chosen decompressed size rather than to the bytes actually received.
This issue affects >=5.5.0 <=5.5.8, >=5.7.0 <=5.7.23, >=5.8.0 <=5.8.25, >=6.2.0 <=6.2.8, >=6.3.0 <=6.3.16, >=6.4.0 <=6.4.16, >=6.5.0 <=6.5.10, and >=7.0.0 <=7.0.5 of Spring Security.
Details
Module Info
- Product: Spring Security
- Affected packages: spring-security-saml2-service-provider
- Affected versions: >=5.5.0 <=5.5.8, >=5.7.0 <=5.7.23, >=5.8.0 <=5.8.25, >=6.2.0 <=6.2.8, >=6.3.0 <=6.3.16, >=6.4.0 <=6.4.16, >=6.5.0 <=6.5.10, >=7.0.0 <=7.0.5
- GitHub repository: https://github.com/spring-projects/spring-security
- Published packages: https://central.sonatype.com/artifact/org.springframework.security/spring-security-saml2-service-provider
- Package manager: Maven
- Fixed in:
- NES for Spring Security 5.5.x, 5.7.x, 5.8.x, 6.2.x, 6.3.x, 6.4.x
- Spring Security 6.5.11, 7.0.6 (OSS)
Vulnerability Info
The SAML 2.0 REDIRECT binding transmits SAML messages as URL query parameters such as SAMLRequest and SAMLResponse. Because URLs are length-limited, the binding specifies that the XML message is first DEFLATE-compressed and then Base64-encoded. On the receiving side, spring-security-saml2-service-provider reverses this in the package-private helper Saml2Utils, whose samlInflate(byte[]) method is invoked by the SAML Login and SAML Logout processing endpoints whenever a REDIRECT-binding message arrives:
static String samlInflate(byte[] b) {
try {
ByteArrayOutputStream out = new ByteArrayOutputStream();
InflaterOutputStream iout = new InflaterOutputStream(out, new Inflater(true));
iout.write(b);
iout.finish();
return new String(out.toByteArray(), StandardCharsets.UTF_8);
}
catch (IOException ex) {
throw new Saml2Exception("Unable to inflate string", ex);
}
}
The byte array b is the Base64-decoded query parameter, and its inflated output accumulates in an unbounded ByteArrayOutputStream. Nothing bounds the input-to-output ratio, making samlInflate a textbook decompression-bomb sink. The module duplicates this helper as a package-private class across several packages, and on some lines the SAML Login entry point Saml2AuthenticationTokenConverter inlines the same loop, so every REDIRECT-binding path - login, logout request, and logout response - is affected. Because these endpoints accept messages before authentication, an unauthenticated remote attacker can reach the sink directly: a short series of crafted messages allocates heap proportional to the attacker-chosen decompressed size until the JVM throws an OutOfMemoryError.
The remediation caps the inflated size: the inflater now writes through a guard stream that aborts with a Saml2Exception once the decompressed payload exceeds a fixed 1 MiB (1,048,576 bytes) limit. As additional hardening for SAML Login, Spring also recommends disallowing SAML responses in GET requests via OpenSaml5AuthenticationTokenConverter#setShouldConvertGetRequests(false) where applicable.
Mitigation
Spring Security 5.5.x through 6.4.x are End-of-Life open-source lines and no longer receive community updates; those lines have no publicly available fix for this vulnerability. The OSS fix ships only in the currently supported 6.5.x and 7.0.x lines.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a currently supported open-source version of Spring Security that contains the fix. The OSS fix ships in Spring Security 6.5.11 (6.5.x line) and 7.0.6 (7.0.x line).
- Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Security.
Credits
- Anonymous (finder)
