View all Vulnerabilities

CVE-2026-41851

Content Spoofing
Affects
Spring Framework
in
Spring
No items found.
Versions
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Framework is the foundational application framework for the Java ecosystem, providing dependency injection, data access, web, and expression-evaluation support that underpins Spring Boot and most of the Spring portfolio. One of its components is the Spring Expression Language (SpEL), a runtime expression language used throughout Spring (for example in annotations such as @Value, in bean definitions, and in security and data-binding rules) and shipped in the spring-expression module. SpEL supports a matches operator that tests a string against a Java regular expression, and to avoid recompiling the same regex on every evaluation it caches the compiled java.util.regex.Pattern objects.

A medium-severity vulnerability (CVE-2026-41851) has been identified in that pattern cache. Applications that accept and evaluate user-supplied SpEL expressions are exposed because the cache that holds compiled regex patterns is an unbounded ConcurrentHashMap keyed by the regex string. Every distinct right-hand-side regex an attacker supplies to the matches operator becomes a new, permanent cache entry. By submitting a large number of distinct expressions, an attacker drives unbounded growth of that cache, exhausting the JVM heap and degrading or disabling the application (an OutOfMemoryError-style memory-exhaustion Denial of Service).

Per OWASP, a Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed; there are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resource-handling vulnerabilities, among others. Here the abused resource is heap memory: an unbounded cache that grows with the number of distinct attacker-supplied regular expressions is exactly the resource-handling failure mode that this category describes.

The CVSS v3.1 base score for this vulnerability is Medium with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The attack vector is Network, attack complexity and privileges required are Low and None because an application that evaluates untrusted SpEL exposes the cache directly, and there is no user interaction. The impact is Availability-only and Low (memory pressure that degrades or eventually halts the application); there is no confidentiality or integrity impact because the cache only grows, it does not leak or alter data.

This issue affects Spring Framework >=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, and >=7.0.0 <=7.0.7. The vulnerability is only reachable in applications that evaluate user-supplied SpEL expressions; applications that only evaluate trusted, developer-authored expressions are not exposed.

Details

Module Info

Vulnerability Info

The vulnerability is in the SpEL matches operator, implemented by OperatorMatches in the spring-expression module, and in the shared pattern cache held by InternalSpelExpressionParser. When a SpEL expression of the form someInput matches someRegex is evaluated, the operator compiles the regex into a java.util.regex.Pattern and stores it in a cache keyed by the regex string so the next evaluation of the same regex can reuse it. The scope of the issue is limited to applications that evaluate user-supplied SpEL expressions; an application that only ever evaluates trusted expressions never feeds attacker-controlled regex strings into the cache.

Pre-fix, the cache was an unbounded ConcurrentHashMap. OperatorMatches held the cache as a ConcurrentMap and the no-arg constructor created a fresh ConcurrentHashMap, while InternalSpelExpressionParser held a shared ConcurrentHashMap for compiled patterns:

// OperatorMatches.java (pre-fix)
private final ConcurrentMap<String, Pattern> patternCache;

@Deprecated
public OperatorMatches(int startPos, int endPos, SpelNodeImpl... operands) {
    this(new ConcurrentHashMap<>(), startPos, endPos, operands);
}

// in getValueInternal(...):
Pattern pattern = this.patternCache.get(regex);
if (pattern == null) {
    checkRegexLength(regex);
    pattern = Pattern.compile(regex);
    this.patternCache.putIfAbsent(regex, pattern);
}


Because the cache has no maximum size and never evicts entries, every distinct regex string becomes a permanent entry. There was already a per-regex length limit (MAX_REGEX_LENGTH, 1000 characters), but that only caps the size of any single entry, not the number of entries. An attacker who can supply many distinct regex strings (each one well under the length limit, but each a unique cache key) drives the cache to grow without bound until the heap is exhausted.

The fix replaces the unbounded ConcurrentHashMap with a bounded ConcurrentLruCache capped at a fixed maximum number of compiled patterns, in both OperatorMatches and InternalSpelExpressionParser:

// OperatorMatches.java (post-fix)
/**
 * Maximum number of compiled regular expressions in the pattern cache: {@value}.
 */
public static final int MAX_PATTERN_CACHE_SIZE = 256;

private final ConcurrentLruCache<String, Pattern> patternCache;

@Deprecated(since = "5.2.23", forRemoval = true)
public OperatorMatches(int startPos, int endPos, SpelNodeImpl... operands) {
    this(new ConcurrentLruCache<>(MAX_PATTERN_CACHE_SIZE, Pattern::compile), startPos, endPos, operands);
}

// in getValueInternal(...): the regex length is checked up front, then the
// bounded LRU cache compiles and evicts entries beyond the cap:
if (regex.length() > MAX_REGEX_LENGTH) {
    throw new SpelEvaluationException(rightOp.getStartPosition(),
            SpelMessage.MAX_REGEX_LENGTH_EXCEEDED, MAX_REGEX_LENGTH);
}
Pattern pattern = this.patternCache.get(regex);


With the bounded ConcurrentLruCache, the cache holds at most MAX_PATTERN_CACHE_SIZE (256) compiled patterns and evicts the least-recently-used entry when full, so a stream of distinct attacker-supplied regexes can no longer grow memory without limit. The deprecated OperatorMatches(ConcurrentMap, ...) constructor is retained for binary compatibility but now ignores the supplied map and delegates to the bounded cache. The unbounded ConcurrentMap pattern cache has been part of OperatorMatches across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x lines (the matches operator itself dates to Spring Framework 3.0). The advisory's listed range starting at 5.3.0 reflects Spring's currently-supported lines; older lines, including the lines covered by NES support, carry the identical unbounded cache and are also affected.

Steps To Reproduce

1. Build a minimal application that evaluates an untrusted SpEL expression supplied by the caller, for example:

   import org.springframework.expression.Expression;
   import org.springframework.expression.spel.standard.SpelExpressionParser;

   SpelExpressionParser parser = new SpelExpressionParser();

   void evaluateUserExpression(String userSuppliedExpression) {
       Expression expression = parser.parseExpression(userSuppliedExpression);
       expression.getValue();
   }


2. Drive the endpoint with many distinct matches expressions, each carrying a unique regular expression (each well under the 1000-character regex length limit), so that every request inserts a new, unique key into the pattern cache:

   for (int i = 0; i < 5_000_000; i++) {
       // Each iteration supplies a distinct regex string, so each becomes a
       // new permanent entry in the unbounded pattern cache.
       evaluateUserExpression("'x' matches 'attacker" + i + ".*'");
   }


3. Observe the JVM heap. On a pre-fix version the pattern cache grows without bound, retaining one compiled java.util.regex.Pattern per distinct regex string, until the application slows under GC pressure and ultimately fails with java.lang.OutOfMemoryError: Java heap space.

4. Repeat against a fixed version (6.2.19, 7.0.8, or a HeroDevs NES build). The pattern cache is now a bounded ConcurrentLruCache capped at 256 entries, so memory stays flat regardless of how many distinct regexes are supplied and no OutOfMemoryError occurs.

Mitigation

Only recent versions of Spring Framework receive community support and updates. Older versions, including the 5.3.x and 6.1.x lines, have no publicly available open source fix for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Framework. The OSS fix ships in Spring Framework 6.2.19 (6.2.x line) and 7.0.8 (7.0.x line).
  • As an interim hardening step, avoid evaluating user-supplied SpEL expressions. Treat SpEL as code: restrict expression evaluation to trusted, developer-authored expressions, and do not pass untrusted input through parseExpression. This removes the attacker's ability to populate the cache with arbitrary distinct regexes.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Framework, which provides patched builds of the 4.3.x, 5.3.x, and 6.1.x lines that include the bounded pattern cache.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-41851
PROJECT Affected
Spring Framework
Versions Affected
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 10, 2026
Fixed in
NES for Spring
Category
Content Spoofing
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.