CVE-2026-41695
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Spring Data Commons is the foundational module of the Spring Data project, providing the shared mapping, repository, and property-path infrastructure that the individual Spring Data store modules (JPA, MongoDB, Redis, and others) build upon. Among its responsibilities is resolving string property paths against a domain type's metadata, a mechanism that consuming modules such as Spring Data REST expose to externally supplied input for sorting, projections, and query derivation.
A high-severity vulnerability (CVE-2026-41695) has been identified in property-path resolution. When attacker-controlled property path strings are passed to MappingContext property path resolution, the result of every lookup is retained in internal caches that have no size limit, and lookups that fail to resolve are cached as well. An attacker who submits a large number of unique invalid property paths or unknown type aliases causes these caches to grow without bound, exhausting the application's memory and resulting in a Denial of Service.
Per OWASP, a Denial of Service attack aims to make a resource "unavailable to its intended users" by exhausting the target's processing or memory capacity. Here a stream of short, cheap-to-send requests is amplified into permanently retained server-side state, denying service to legitimate users of the application.
This vulnerability is exploitable where an application maps untrusted input to property paths (for example through Spring Data REST sort, projection, or query parameters). Applications that never resolve untrusted property paths are not exposed through this path.
This issue affects >=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, >=4.0.0 <=4.0.5 of Spring Data Commons.
Details
Module Info
- Product: Spring Data Commons
- Affected packages: spring-data-commons
- Affected versions: >=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, >=4.0.0 <=4.0.5
- GitHub repository: https://github.com/spring-projects/spring-data-commons
- Published packages: https://central.sonatype.com/artifact/org.springframework.data/spring-data-commons
- Package manager: Maven
- Fixed in:
- NES for Spring Data Commons 3.4.x
- Spring Data Commons 4.0.6, 3.5.12 (OSS)
Vulnerability Info
Property path lookups are served by org.springframework.data.mapping.context.PersistentPropertyPathFactory, which caches the outcome of every resolution, keyed by the domain type and the raw path string, in a strong-reference ConcurrentHashMap with no upper bound:
private final Map<TypeAndPath, PathResolution> propertyPaths = new ConcurrentHashMap<>();
private PersistentPropertyPath<P> getPersistentPropertyPath(TypeInformation<?> type, String propertyPath) {
return getPotentiallyCachedPath(type, propertyPath).getResolvedPath();
}
private PathResolution getPotentiallyCachedPath(TypeInformation<?> type, String propertyPath) {
return propertyPaths.computeIfAbsent(TypeAndPath.of(type, propertyPath),
it -> createPersistentPropertyPath(it.path(), it.type()));
}
Crucially, lookups that fail to resolve are cached too: an unresolvable path stores a PathResolution entry recording the failure, so every distinct invalid path an attacker submits adds one more permanently retained entry. Because the map holds strong references and is never evicted, a flood of unique invalid paths (for example, randomized sort parameters sent to a Spring Data REST endpoint) grows the heap without limit until the JVM runs out of memory. The same unbounded strong-reference caching pattern exists in the type alias caches of DefaultTypeMapper and SimpleTypeInformationMapper, which retain attacker-influenced alias strings indefinitely. The fixed versions replace these maps with bounded LRU caches so that attacker-supplied keys can no longer accumulate indefinitely. Prior releases held these cache entries through soft references that the garbage collector could reclaim under memory pressure, which is why only the listed versions are affected.
This vulnerability was introduced in 2024 with Spring Data Commons 3.4.
Mitigation
Spring Data Commons 3.4.x and earlier are End-of-Life in open source and will not receive public security updates. Affected users should not attempt to patch the caching infrastructure themselves.
We recommend one of the following:
- Upgrade to a supported, fixed release of Spring Data Commons (4.0.6 or 3.5.12 or later).
- For applications that must remain on an End-of-Life line, adopt HeroDevs Never-Ending Support (NES) for Spring Data Commons, which provides a drop-in replacement that backports this fix to otherwise unsupported versions.
