View all Vulnerabilities

CVE-2026-41716

Denial of Service
Affects
Spring Data Commons
in
Spring
No items found.
Versions
>=2.5.0 <=2.5.12, >=2.7.0 <=2.7.19, >=3.2.0 <=3.2.12, >=3.3.0 <=3.3.16, >=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, >=4.0.0 <=4.0.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Data Commons is the foundational module of the Spring Data project, providing shared infrastructure (repositories, mapping metadata, property-path resolution, and web integration) used transitively by every Spring Data store module such as Spring Data JPA, MongoDB, and Redis.

A high-severity vulnerability, CVE-2026-41716, has been identified in Spring Data Commons. An internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys. By repeatedly sending requests that carry distinct property-name strings, including ones that do not resolve to any real property, an unauthenticated remote attacker can cause the cache to grow without bound until the JVM exhausts its heap and throws an OutOfMemoryError, denying service to the application.

Per OWASP, a denial of service attack aims to make a resource unavailable to its legitimate users, for example by exhausting memory, processing, or storage so the application can no longer respond to valid requests.

This issue affects versions >=2.5.0 <=2.5.12, >=2.7.0 <=2.7.19, >=3.2.0 <=3.2.12, >=3.3.0 <=3.3.16, >=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, and >=4.0.0 <=4.0.5 of Spring Data Commons. Versions that are no longer supported are also affected.

Details

Module Info

Vulnerability Info

Spring Data Commons models the properties of every domain, projection, and parameter type through TypeInformation objects backed by the TypeDiscoverer class. Whenever Spring Data resolves a property name against a type, for example while handling web requests whose sort, filter, binding, or projection parameters carry property names, the lookup lands in TypeDiscoverer.getProperty(String name).

Each TypeDiscoverer instance keeps a per-type property cache that is an unbounded ConcurrentHashMap populated with computeIfAbsent. Every distinct name ever queried is interned into the cache, including names that do not resolve to any real property of the type, which are retained forever as empty entries:

private final Map<String, Optional<TypeInformation<?>>> fields = new ConcurrentHashMap<>();

public TypeInformation<?> getProperty(String name) {
    // ...
    return fields.computeIfAbsent(name, this::getPropertyInformation).orElse(null);
}

Because the queried name is attacker-controlled and the cache has no capacity limit or eviction policy, an attacker can drive unbounded heap growth simply by issuing many requests with unique property-name strings. The cache behaves as a negative-result cache: a name that fails to resolve to a real property still consumes a permanent cache slot. Sustained over enough requests, this exhausts available heap and renders the application unavailable. The remediation replaces the per-name cache with a fixed-size map of the type's actual properties, computed once in a single pass over the type's declared fields and property descriptors, so unknown names are simply looked up and never stored.

This vulnerability has been present since at least Spring Data Commons 2.5 and likely earlier.

Mitigation

Spring Data Commons versions in the affected ranges that are End-of-Life will not receive public OSS patches for this issue; the 2.5.x, 2.7.x, 3.2.x, 3.3.x, and 3.4.x lines have no publicly available fix, and applying unofficial patches yourself is not recommended. The fix for this issue is available in HeroDevs Never-Ending Support (NES) for Spring Data Commons on all five of those lines.

To remediate this vulnerability, the recommended actions are:

  1. Upgrade to a supported, fixed version of Spring Data Commons (3.5.12 or 4.0.6 for the OSS lines).
  2. For applications that must remain on an end-of-life line, use HeroDevs Never-Ending Support (NES) for Spring Data Commons, which provides a drop-in patched build without forcing a major upgrade. Learn more about HeroDevs Never-Ending Support for Spring Data Commons and request coverage.

Credits

  • This vulnerability was reported through the Spring project's security process.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-40987
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-41716
PROJECT Affected
Spring Data Commons
Versions Affected
>=2.5.0 <=2.5.12, >=2.7.0 <=2.7.19, >=3.2.0 <=3.2.12, >=3.3.0 <=3.3.16, >=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, >=4.0.0 <=4.0.5
NES Versions Affected
Published date
June 18, 2026
≈ Fix date
June 18, 2026
Fixed in
NES for Spring
Category
Denial of Service
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.