View all Vulnerabilities

CVE-2026-41849

Denial of Service
Affects
Spring Framework
in
Spring
No items found.
Versions
>=5.3.0 <=5.3.48
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Framework is the foundational application framework for the Java platform, providing dependency injection, data access, web, and expression-evaluation support to a large share of enterprise Java applications. One of its modules, spring-expression, implements the Spring Expression Language (SpEL): a runtime expression language that can query and manipulate object graphs, and that many applications evaluate against application-defined or, in some designs, externally-influenced input.

A high-severity vulnerability (CVE-2026-41849) has been identified in the SpEL evaluation logic. The SpEL multiply operator doubles as a string-repeat operator (multiplying a string by an integer repeats it). On the affected line, the size of the repeated text is computed with a 32-bit int multiplication before being checked against a fixed maximum, and the bounds check does not account for integer overflow. A crafted expression whose length-times-count product overflows the int range wraps to a negative or small value, slips past the size check, and then drives either an immediate failure or unbounded memory and CPU consumption, resulting in a Denial of Service.

Per OWASP, an integer overflow occurs when an arithmetic operation attempts to create a numeric value that is outside of the range that can be represented with a given number of bytes; when this occurs, the value may wrap to become a very small or negative number. Here the overflow of the repeated-text size calculation defeats a guard whose entire purpose is to bound resource usage, turning a single short expression into a resource-exhaustion vector.

This vulnerability only matters where an application evaluates attacker-influenced SpEL. Applications that never expose SpEL evaluation to untrusted input are not exposed through this path. This issue affects >=5.3.0 <=5.3.48 of Spring Framework.

Details

Module Info

Vulnerability Info

The vulnerability is in OpMultiply in the spring-expression module, specifically in the getValueInternal(ExpressionState) method that evaluates the multiply operator. When the left operand is a String and the right operand is an Integer, the operator performs string repetition. To bound output, the operator caps repeated text at MAX_REPEATED_TEXT_SIZE, which is 256 characters.

On the affected 5.3.x line, the requested size is computed and checked like this:

if (leftOperand instanceof String && rightOperand instanceof Integer) {
    String text = (String) leftOperand;
    int count = (Integer) rightOperand;
    int requestedSize = text.length() * count;
    checkRepeatedTextSize(requestedSize);
    StringBuilder result = new StringBuilder(requestedSize);
    for (int i = 0; i < count; i++) {
        result.append(text);
    }
    return new TypedValue(result.toString());
}

private void checkRepeatedTextSize(int requestedSize) {
    if (requestedSize > MAX_REPEATED_TEXT_SIZE) {
        throw new SpelEvaluationException(getStartPosition(),
                SpelMessage.MAX_REPEATED_TEXT_SIZE_EXCEEDED, MAX_REPEATED_TEXT_SIZE);
    }
}

The product text.length() * count is a plain int multiplication. When that product exceeds Integer.MAX_VALUE it wraps negative. checkRepeatedTextSize only rejects values strictly greater than 256, so a wrapped value that is negative or small passes the guard. Two failure modes follow. If requestedSize wraps negative, new StringBuilder(requestedSize) is constructed with a negative capacity and throws NegativeArraySizeException, which is an unchecked RuntimeException. If the wrapped value is less than 256 but non-negative, the guard is satisfied, yet the loop still iterates count times, where count is a very large positive number, appending text on each iteration and driving the heap and CPU toward exhaustion until the JVM throws OutOfMemoryError. Either way, a single short expression chosen so that length-times-count overflows can result in a denial of service for the evaluating thread or process.

The corrected behavior computes the repeated-text size with overflow detection rather than a wrapping int multiplication. Equivalent to the guard already present on later Spring Framework lines (which reject a result that is negative as well as one that exceeds the maximum), the fix computes the size with Math.multiplyExact and translates the overflow into the existing size-exceeded error:

int requestedSize = computeRepeatedTextSize(text, count);
checkRepeatedTextSize(requestedSize);

private int computeRepeatedTextSize(String text, int count) {
    try {
        return Math.multiplyExact(text.length(), count);
    }
    catch (ArithmeticException ex) {
        throw new SpelEvaluationException(getStartPosition(),
                SpelMessage.MAX_REPEATED_TEXT_SIZE_EXCEEDED, MAX_REPEATED_TEXT_SIZE);
    }
}

With this change an overflowing product can no longer wrap past the size check; it is detected and rejected with a SpelEvaluationException carrying MAX_REPEATED_TEXT_SIZE_EXCEEDED, exactly as an oversized-but-non-overflowing request already is. The control flow and the public API of OpMultiply are otherwise unchanged. Spring Framework lines 6.1.x and later are not affected by this issue: their repeat guard already rejects a negative result, so an integer-overflow wrap cannot bypass the check.

Mitigation

Spring Framework 4.3.x and 5.3.x are past their open-source support window, and there are no open-source 4.3.x or 5.3.x releases that contain the fix.

Users of the affected component should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Framework.
  • Where evaluating attacker-influenced SpEL is not required, avoid passing untrusted input into SpEL evaluation, which removes the attack surface for this issue.
  • Leverage a commercial support partner like HeroDevs for post-end-of-life security support through Never-Ending Support (NES) for Spring Framework, which provides a patched 4.3.x and 5.3.x build.

Credits

  • This issue was discovered internally by the Spring team.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-41849
PROJECT Affected
Spring Framework
Versions Affected
>=5.3.0 <=5.3.48
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 10, 2026
Fixed in
NES for Spring
Category
Denial of Service
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.