CVE-2026-41711
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Spring Data Commons is the foundational module of the Spring Data project, providing the shared abstractions used by every Spring Data store module, including repositories, paging and sorting support, projections, and the web binding layer that maps HTTP request parameters onto those abstractions.
A medium-severity vulnerability (CVE-2026-41711) has been identified in Spring Data Commons. Applications may be vulnerable to a denial of service attack leading to a StackOverflowException when parsing Sort parameters. The issue arises when untrusted request parameters reach Spring Data's property path resolution: either because an endpoint accepts Sort parameters from untrusted sources and passes them on without sanitization, or because an endpoint exposes parameters annotated with @ProjectedPayload or @QuerydslPredicate. The property names carried by those parameters are parsed by the PropertyPath class, whose recursive parsing did not enforce a maximum traversal depth, so a single crafted, sufficiently long property path expression can exhaust the stack and crash the request thread. Spring Data Commons does not directly expose this API to untrusted callers; exposure depends on the consuming Spring Data module or application code.
Per OWASP, a Denial of Service attack is "an attack meant to shut down a machine or network, making it inaccessible to its intended users" by exhausting a resource such that legitimate requests can no longer be served.
This issue affects versions >=2.5.0 <=2.5.12, >=2.7.0 <=2.7.19, >=3.0.0 <=3.0.15, >=3.1.0 <=3.1.14, >=3.2.0 <=3.2.15, >=3.3.0 <=3.3.16, >=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, and >=4.0.0 <=4.0.5 of Spring Data Commons.
Details
Module Info
- Product: Spring Data Commons
- Affected packages: spring-data-commons
- Affected versions: >=2.5.0 <=2.5.12, >=2.7.0 <=2.7.19, >=3.0.0 <=3.0.15, >=3.1.0 <=3.1.14, >=3.2.0 <=3.2.15, >=3.3.0 <=3.3.16, >=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, >=4.0.0 <=4.0.5
- GitHub repository: https://github.com/spring-projects/spring-data-commons
- Published packages: https://central.sonatype.com/artifact/org.springframework.data/spring-data-commons
- Package manager: Maven
- Fixed in:
- NES for Spring Data Commons
- Spring Data Commons 4.0.6, 3.5.12 (OSS)
Vulnerability Info
When Spring Data resolves a property path, for example the property names carried by a Sort parameter or by @ProjectedPayload and @QuerydslPredicate binding, the string is handed to the PropertyPath.from factory method.
That method first tokenizes the incoming expression in an unbounded splitter loop, then resolves each segment through the recursive create method. Whenever a segment does not match a property directly, create splits the string at a camel-case boundary and calls itself again on the shortened head and recombined tail, repeating until a property resolves:
// PropertyPath.from() — no limit on segment count
while (matcher.find()) {
iteratorSource.add(matcher.group(1));
}
// PropertyPath.create() — unbounded recursion, no depth guard
return create(head, type, tail + addTail, base);
The create() method has no depth guard. When a segment does not resolve directly, it splits at a camel-case boundary and recurses without limit. Combined with the unbounded splitter loop in from(), a sufficiently long crafted property path expression drives the stack deep enough to raise a StackOverflowException, terminating the request thread. The fixed versions enforce a maximum traversal depth of 1000 across both paths, rejecting oversized input with an IllegalArgumentException instead of crashing. A single crafted HTTP request is sufficient to trigger the issue.
Mitigation
Only recent versions of Spring Data Commons receive community support and updates. Older versions have no publicly available fixes for this vulnerability.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a currently supported version of Spring Data Commons (3.5.12 or 4.0.6).
- Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Data Commons. Learn more about HeroDevs Never-Ending Support for Spring Data Commons.
