Spring Data Commons contains an internal property‑lookup cache that accepts attacker‑supplied strings as cache keys. Because the cache can grow without bounds, an attacker can repeatedly issue requests with unique keys, causing the heap to grow until the application runs out of memory or crashes. This vulnerability corresponds to CWE‑770, a resource or capacity exhaustion weakness. The result is a denial‑of‑service condition that can affect application availability.

The vendor and product affected are Spring Data Commons. The vulnerability exists in Spring Data Commons versions 2.7.0 through 2.7.19, 3.3.0 through 3.3.16, 3.4.0 through 3.4.14, 3.5.0 through 3.5.11, and 4.0.0 through 4.0.5. All distributions that include the Spring Data web support component in those ranges are vulnerable.

The CVSS score of 7.5 indicates a high severity vulnerability, and the risk of exploitation is elevated when an attacker can send repeated requests to the vulnerable component. Although an EPSS score is not available, the absence of a KEV listing does not diminish the need to respond promptly. Because the cache is keyed on attacker‑supplied property names, the attack vector is inferred to be remote, through web requests to any endpoint that performs property lookup via the Spring Data web support. Successful exploitation requires no special authentication and simply sending a large number of unique property names, eventually exhausting heap space.