Description
Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.


More precisely, an application can be vulnerable when all the following are true:

* the application is using Spring MVC or Spring WebFlux
* the application is serving static resources from the file system
* the application is running on a Windows platform


When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.
Published: 2026-04-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring MVC or Spring WebFlux applications are vulnerable to a denial of service when they serve static resources from the file system on Windows. An attacker can craft malicious requests that resolve slowly, causing HTTP connections to remain open and exhaust server resources. The weakness is identified as CWE‑400 and CWE‑770 and does not affect confidentiality or integrity, but can render the application unresponsive.

Affected Systems

The vulnerability affects applications built with VMware’s Spring Framework, specifically Spring MVC and Spring WebFlux. No specific affected release versions are listed in the advisory, so all deployments of these components on Windows should be evaluated for patch status.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity for this DoS vector. The EPSS score of 0.00057 indicates a very low probability of exploitation and the vulnerability is not listed in CISA KEV. The likely attack vector is remote network access, and the attack is likely to succeed on any exposed instance that satisfies the three conditions of the vulnerability. If exploited, the application may serve no new requests until connections are released or the server is restarted.

Generated by OpenCVE AI on May 6, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Spring MVC and Spring WebFlux to the latest patched release from the vendor
  • Configure the application server or reverse proxy with tighter connection timeouts and a limit on concurrent connections for static resource handling
  • Enforce resource limits for static file access to mitigate excessive memory allocation vulnerabilities (CWE‑770)
  • Deploy or update web application firewall rules to detect and block slow‑loris patterns targeting static content

Generated by OpenCVE AI on May 6, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6p4f-wcwh-5vvm Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources
History

Wed, 06 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 04 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Framework
Vendors & Products Vmware
Vmware spring Framework

Wed, 29 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is serving static resources from the file system * the application is running on a Windows platform When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.
Title CVE-2026-22745 : Denial of service in static resource handling on Windows platforms
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Microsoft Windows
Vmware Spring Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-29T13:23:54.622Z

Reserved: 2026-01-09T06:55:03.990Z

Link: CVE-2026-22745

cve-icon Vulnrichment

Updated: 2026-04-29T13:23:51.873Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T12:16:18.620

Modified: 2026-05-04T14:50:16.040

Link: CVE-2026-22745

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-29T11:35:21Z

Links: CVE-2026-22745 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T02:30:05Z

Weaknesses