CVE-2026-22745 - Vulnerability Details

- CVE-2026-22745 : Denial of service in static resource handling on Windows platforms

Description

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.

More precisely, an application can be vulnerable when all the following are true:

* the application is using Spring MVC or Spring WebFlux
* the application is serving static resources from the file system
* the application is running on a Windows platform

When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

Published: 2026-04-29

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Spring MVC or Spring WebFlux applications are vulnerable to a denial of service when they serve static resources from the file system on Windows. An attacker can craft malicious requests that resolve slowly, causing HTTP connections to remain open and exhaust server resources. The weakness is identified as CWE‑400 and does not affect confidentiality or integrity, but can render the application unresponsive.

Affected Systems

The vulnerability affects applications built with VMware’s Spring Framework, specifically Spring MVC and Spring WebFlux. No specific affected release versions are listed in the advisory, so all deployments of these components on Windows should be evaluated for patch status.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity for this DoS vector. EPSS information is not available and the vulnerability is not listed in CISA KEV. The attack requires remote network access and is likely to succeed on any exposed instance that satisfies the three conditions of the vulnerability. If exploited, the application may serve no new requests until connections are released or the server is restarted.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

VMware

Spring Framework

affected

Version	Status	Constraints
`7.0.0`	affected	< 7.0.7
`6.2.0`	affected	< 6.2.18
`6.1.0`	affected	< 6.1.27
`5.3.0`	affected	< 5.3.48

No data.

Vendor Product Confidence Versions

Vmware

Spring Framework

100%

Version	Status	Scheme	Platform
`[7.0.0,7.0.7)`	affected	semver	—
`[6.2.0,6.2.18)`	affected	semver	—
`[6.1.0,6.1.27)`	affected	semver	—
`[5.3.0,5.3.48)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Spring MVC and Spring WebFlux to the latest patched release from the vendor
Configure the application server or reverse proxy with tighter connection timeouts and a limit on concurrent connections for static resource handling
Deploy or update web application firewall rules to detect and block slow‑loris patterns targeting static content

Generated by OpenCVE AI on April 29, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1
https://spring.io/security/cve-2026-22745

History

Wed, 29 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 29 Apr 2026 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vmware Vmware spring Framework
Vendors & Products		Vmware Vmware spring Framework

Wed, 29 Apr 2026 12:00:00 +0000

Type	Values Removed	Values Added
Description		Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is serving static resources from the file system * the application is running on a Windows platform When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.
Title		CVE-2026-22745 : Denial of service in static resource handling on Windows platforms
Weaknesses		CWE-400
References		https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1 https://spring.io/security/cve-2026-22745
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Vmware Spring Framework

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-04-29T11:35:21.947Z

Updated: 2026-04-29T13:23:54.622Z

Reserved: 2026-01-09T06:55:03.990Z

Link: CVE-2026-22745

Vulnrichment

Updated: 2026-04-29T13:23:51.873Z

NVD

Status : Received

Published: 2026-04-29T12:16:18.620

Modified: 2026-04-29T12:16:18.620

Link: CVE-2026-22745

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T14:30:13Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object