Vulnerability Directory | CVE-2026-41721

Overview

Spring Data Commons is the foundational module of the Spring Data project, providing the shared repository abstractions, mapping metadata, and web-support infrastructure that the data-store-specific Spring Data modules (JPA, MongoDB, Redis, and others) build upon. Its web support includes argument resolution for interface-based request payloads annotated with @ProjectedPayload, binding HTTP request parameters into a projection proxy.

A medium-severity vulnerability (CVE-2026-41721) has been identified in this data-binding path. When Spring Data Web Support is enabled and a controller method takes a @ProjectedPayload parameter, request parameters are bound into a map-backed binder that evaluates each parameter name as an expression with collection auto-growing enabled and no upper bound. An attacker can send a single specially crafted HTTP request whose parameter name indexes far into a collection, causing the application to allocate a large amount of memory in one request and exhausting the heap, resulting in a Denial of Service.

Per OWASP, a Denial of Service attack is one in which "the attacker seeks to make a resource unavailable to its intended users." Here a short, unauthenticated request forces unbounded memory allocation, denying service to the affected application.

This vulnerability is only reachable where Spring Data Web Support is enabled together with a controller method using @ProjectedPayload. Applications that do not expose such an endpoint are not affected through this path.

This issue affects versions >=2.5.0 <=2.5.12, >=2.7.0 <=2.7.19, >=3.0.0 <=3.0.15, >=3.1.0 <=3.1.14, >=3.2.0 <=3.2.15, >=3.3.0 <=3.3.16, >=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, and >=4.0.0 <=4.0.5 of Spring Data Commons. Versions that are no longer supported are also affected.

‍

Details

Module Info

Product: Spring Data Commons
Affected packages: spring-data-commons
Affected versions: >=2.5.0 <=2.5.12, >=2.7.0 <=2.7.19, >=3.0.0 <=3.0.15, >=3.1.0 <=3.1.14, >=3.2.0 <=3.2.15, >=3.3.0 <=3.3.16, >=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, >=4.0.0 <=4.0.5
GitHub repository: https://github.com/spring-projects/spring-data-commons
Published packages: https://central.sonatype.com/artifact/org.springframework.data/spring-data-commons
Package manager: Maven
Fixed in:
NES for Spring Data Commons 2.5.x, 2.7.x, 3.2.x, 3.3.x, 3.4.x
Spring Data Commons 4.0.6, 3.5.12 (OSS)

Vulnerability Info

The vulnerability is in MapDataBinder and ProxyingHandlerMethodArgumentResolver in the spring-data-commons web support. ProxyingHandlerMethodArgumentResolver is the HandlerMethodArgumentResolver that resolves interface-based controller parameters annotated with @ProjectedPayload. For each such parameter it constructs a MapDataBinder over the request and binds the HTTP request parameter map into it.

MapDataBinder treats each request parameter name as an expression evaluated against a map-backed root object through a SpelExpressionParser. On affected versions the binder applies no auto-grow collection limit, and the parser is configured to auto-grow collections without a maximum:

private static class MapPropertyAccessor extends AbstractPropertyAccessor {

    private static final SpelExpressionParser PARSER = new SpelExpressionParser(
            new SpelParserConfiguration(false, true));
    ...
}

The second true passed to SpelParserConfiguration enables collection auto-growing, and because no maximum auto-grow size is configured, the collection can grow without bound. Because ProxyingHandlerMethodArgumentResolver constructs the binder without any limit, a request parameter whose name indexes deep into a collection, for example someList[2000000], causes the expression evaluation to auto-grow the backing collection up to that index. The application allocates memory proportional to the attacker-chosen index in a single request, driving the heap toward OutOfMemoryError and denying service.

‍

Mitigation

Spring Data Commons 2.5.x, 2.7.x, 3.2.x, 3.3.x, and 3.4.x are past their open-source support window, and there is no open-source release on those lines that contains the fix. The fix for this issue is available in HeroDevs Never-Ending Support (NES) for Spring Data Commons on all five of those lines.

Users of the affected component should apply one of the following mitigations:

Upgrade to a currently supported, fixed line of Spring Data Commons. The open-source fix ships in 3.5.12 (3.5.x line) and 4.0.6 (4.0.x line).
Leverage a commercial support partner like HeroDevs for post-end-of-life security support through Never-Ending Support (NES) for Spring Data Commons, which provides a patched build for the affected lines. Learn more about HeroDevs Never-Ending Support for Spring Data Commons and request coverage at https://www.herodevs.com/support/spring-nes.

‍

Credits

This issue was discovered internally by the Spring team.

Back to Directory

What is a HeroDevs Security Advisory?

Vulnerability Details

Severity

Medium

CVE-2026-41721

PROJECT Affected

Spring Data Commons

Versions Affected

>=2.5.0 <=2.5.12, >=2.7.0 <=2.7.19, >=3.0.0 <=3.0.15, >=3.1.0 <=3.1.14, >=3.2.0 <=3.2.15, >=3.3.0 <=3.3.16, >=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, >=4.0.0 <=4.0.5

NES Versions Affected

Published date

June 18, 2026

≈ Fix date

June 15, 2026

Fixed in

NES for Spring