Description
Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings.

Affected versions:
Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring HATEOAS uses an unbounded static cache for StringLinkRelation objects. The cache grows without limit when it receives attacker-supplied relation strings. This behavior can consume a large portion of heap memory, leading to application crashes or slowdown and effectively disrupting service availability. The weakness is documented as CWE-770.

Affected Systems

Vulnerable releases include Spring HATEOAS 1.5.0 through 1.5.6, 2.3.0 through 2.3.4, 2.4.0 through 2.4.1, 2.5.0 through 2.5.2, and 3.0.0 through 3.0.3.

Risk and Exploitability

The CVSS score of 7.5 denotes high severity. EPSS is not available, so no exploitation probability is provided, and the vulnerability is not listed in CISA KEV. The likely attack vector is via HTTP requests that introduce many unique link relations. An attacker able to invoke the library can trigger unrestricted memory growth, resulting in denial of service. No active exploitation reports are known at this time.

Generated by OpenCVE AI on June 9, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring HATEOAS to a non‑vulnerable version if available.
  • If an upgrade cannot be performed immediately, adjust the application configuration to limit the size of the link‑relation cache or disable caching of StringLinkRelation instances, if a configuration option exists.
  • Monitor application memory usage and throttle or block suspicious traffic that attempts to supply a large number of distinct relation strings.

Generated by OpenCVE AI on June 9, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41007 cve-icon cve-icon
History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Hateoas
Vendors & Products Spring
Spring spring Hateoas

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
Title Spring HATEOAS heap exhaustion through unbounded internal caching
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Spring Spring Hateoas
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T13:20:25.239Z

Reserved: 2026-04-16T02:19:16.426Z

Link: CVE-2026-41007

cve-icon Vulnrichment

Updated: 2026-06-09T13:20:20.691Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T05:16:35.033

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-41007

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:55:44Z

Weaknesses