Description
Applications using Spring Data Commons may be vulnerable to a Denial of Service (DoS) attack leading to a StackOverflowException when parsing Sort parameters.

Affected versions:
Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Published: 2026-06-09
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Affected applications use Spring Data Commons to handle sorting of query results. A crafted Sort parameter can cause the framework to recurse indefinitely, eventually throwing a StackOverflowException. This exception terminates the request thread and can exhaust server resources, resulting in a denial of service for legitimate users. The weakness is a resource exhaustion issue described as CWE‑400.

Affected Systems

Spring Data Commons products from Spring, serial numbers 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.16, 3.2.0 through 3.2.15, 3.1.0 through 3.1.14, 3.0.0 through 3.0.15, and 2.7.0 through 2.7.19 are vulnerable. Any application incorporating those versions and exposing sorting calculations is at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. No EPSS data is available, and the issue is not listed in the CISA KEV catalog, suggesting a lower confirmed exploitation probability at this time. However, because the vulnerability can be triggered by a simple HTTP request with a specially crafted Query string, it is plausible to exploit remotely against exposed APIs that pass Sort parameters through the framework. Until a patch is applied, the root cause remains exploitable.

Generated by OpenCVE AI on June 10, 2026 at 01:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Data Commons to a version that includes the fix, such as 4.0.6 or later, as recommended by Spring Security.
  • Validate or sanitize Sort parameters in the application layer to reject malformed or excessively long sort expressions before they reach Spring Data Commons.
  • Implement rate limiting or request throttling for endpoints that accept sorting parameters to reduce the impact of a potential denial‑of‑service attack.

Generated by OpenCVE AI on June 10, 2026 at 01:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41711 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description Applications using Spring Data Commons may be vulnerable to a Denial of Service (DoS) attack leading to a StackOverflowException when parsing Sort parameters. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Title Potential Denial of Service through crafted Sort Parameters
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:48:12.215Z

Reserved: 2026-04-22T06:21:34.490Z

Link: CVE-2026-41711

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:51.337

Modified: 2026-06-10T00:16:51.337

Link: CVE-2026-41711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:30:18Z

Weaknesses