This issue involves an infinite recursion in the routing layer of Spring Cloud Function, causing an out‑of‑memory error when handling requests. The vulnerability leads to resource exhaustion and termination of the application, effectively denying service to legitimate users. The weakness corresponds to uncontrolled recursion (CWE‑674).

The affected products are Spring Cloud Function from the Spring vendor. Versions prior to 3.2.16 in the 3.2.x line, prior to 4.1.10 in the 4.1.x line, prior to 4.2.6 in the 4.2.x line, prior to 4.3.3 in the 4.3.x line, and prior to 5.0.2 in the 5.0.x line are vulnerable; older, unsupported releases are also impacted.

Based on the description, it is inferred that an attacker with network access can send a crafted request that engages the routing mechanism to trigger the infinite recursion. With the resulting out‑of‑memory crash, the application terminates, denying service to all users of the affected instance. The CVSS score of 5.7 classifies this vulnerability as moderate, and the lack of an EPSS score and its absence from the CISA KEV catalog suggest that large‑scale exploitation is unlikely at present. Nonetheless, the attack can be executed without elevated privileges, highlighting the significance of promptly applying the fix.