View all Vulnerabilities

CVE-2026-41848

ReDoS Vulnerability
Affects
Spring Framework
in
Spring
No items found.
Versions
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Framework is the foundational application framework for the Java platform, providing core support for dependency injection, web applications, data access, and a large library of general-purpose utilities used throughout the Spring ecosystem. One of those utilities is org.springframework.util.AntPathMatcher, an Ant-style path pattern matcher in the spring-core module that compiles glob-and-template patterns into Java regular expressions and matches request paths and other strings against them.

A low-severity vulnerability (CVE-2026-41848) has been identified in AntPathMatcher. An application may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern that is then directly or indirectly supplied to one of the methods match(String pattern, String path), matchStart(String pattern, String path), or extractUriTemplateVariables(String pattern, String path). The abused input is the pattern argument, not the path being matched, so the risk applies to applications that build Ant patterns out of untrusted input rather than to applications whose patterns are entirely developer-defined.

Per OWASP, a Regular expression Denial of Service (ReDoS) is a Denial of Service attack that exploits the fact that most regular-expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size); an attacker can cause a program using a regular expression to enter these extreme situations and then hang for a very long time. In AntPathMatcher, a crafted pattern is compiled into a backtracking java.util.regex.Pattern that can take super-linear time to evaluate against a suitable input, tying up the matching thread.

The CVSS v3.1 base score for this vulnerability is Low with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. The attack vector is Network because a crafted pattern can arrive over the network in applications that derive patterns from request data, attack complexity is High because the attacker must both craft a pathological pattern and arrange for it to reach one of the affected methods, and no privileges or user interaction are required. The impact is Availability-only and Low (a single matching operation is slowed or hangs); there is no confidentiality or integrity impact because the matcher only evaluates the pattern, it does not expose or modify data.

This issue affects Spring Framework >=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, and >=7.0.0 <=7.0.7.

Details

Module Info

Vulnerability Info

The vulnerability lives in the AntPathStringMatcher inner class of AntPathMatcher in the spring-core module. When a pattern segment contains a URI template variable with an embedded regular expression, for example a {name:<regex>} token, the matcher splices that caller-supplied regex literally into a larger java.util.regex.Pattern. The glob compiler is driven by a fixed glob pattern that is identical across the affected lines. For a single-character wildcard token the compiler appends a dot, for a multi-character wildcard token it appends a dot-star, and for a bare {name} token it appends the default variable pattern, while a {name:<regex>} token contributes the embedded regex verbatim. Because the resulting Pattern is evaluated by Java's backtracking regex engine, a pattern crafted to induce catastrophic backtracking (for example overlapping quantifiers in the embedded regex or many wildcard segments) can make the match consume CPU for a very long time on a suitable input.

Pre-fix, matchStrings ran the compiled pattern against the raw input string with no bound on how long matching could take:

public boolean matchStrings(String str, @Nullable Map<String, String> uriTemplateVariables) {
    if (this.exactMatch) {
        return this.caseSensitive ? this.rawPattern.equals(str) : this.rawPattern.equalsIgnoreCase(str);
    }
    else if (this.pattern != null) {
        Matcher matcher = this.pattern.matcher(str);
        if (matcher.matches()) {
            // ... populate URI template variables ...
            return true;
        }
    }
    return false;
}

AntPathMatcher is one of the oldest utilities in spring-core and the URI-template-variable compilation path that produces the backtrackable regex has existed across the 3.x, 4.x, 5.x, and 6.x lines. The advisory's listed range starting at 5.3.0 reflects Spring's currently-supported scope; older lines, including the lines covered by NES support, contain the same unbounded matching code and are also affected.

Steps To Reproduce

1. In an application that uses AntPathMatcher, arrange for attacker-controlled input to reach the pattern argument of one of the affected methods. The simplest standalone reproduction calls the matcher directly:

   import org.springframework.util.AntPathMatcher;

   AntPathMatcher matcher = new AntPathMatcher();
   // A pattern crafted to induce catastrophic backtracking in the
   // compiled java.util.regex.Pattern (embedded regex with overlapping
   // quantifiers), supplied as the *pattern* argument:
   String maliciousPattern = "/{x:(a+)+$}";
   String path = "/" + "a".repeat(60) + "!"; // input that forces backtracking
   matcher.match(maliciousPattern, path);


2. Observe that the call to match (or matchStart, or extractUriTemplateVariables) does not return promptly: the compiled regex backtracks for a long time on the supplied input, consuming a CPU core. With enough such requests an attacker can exhaust the application's request-handling threads, producing a denial of service.

3. After upgrading to a fixed version (6.2.19, 7.0.8, or a HeroDevs NES build), repeat the call. Once the regex engine performs more than 1,000,000 character accesses on the input, matching aborts with an IllegalStateException ("Too many character access attempts encountered during pattern matching") instead of hanging.

Mitigation

Only recent versions of Spring Framework receive community support and updates. The 6.1.x and 5.3.x lines are past their open-source support window, so there is no public OSS fix for those lines. Older lines, including 4.3.x, have no publicly available fixes for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Framework. The OSS fix ships in Spring Framework 6.2.19 (6.2.x line) and 7.0.8 (7.0.x line).
  • As an interim hardening step, avoid constructing AntPathMatcher patterns from untrusted input. Ensure that the pattern arguments passed to match, matchStart, and extractUriTemplateVariables are developer-defined constants rather than values derived from request data.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Framework.

Credits

  • This issue was discovered internally by the Spring team.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
ID
CVE-2026-41848
PROJECT Affected
Spring Framework
Versions Affected
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 10, 2026
Fixed in
NES for Spring
Category
ReDoS Vulnerability
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.