Spring Data Commons has a denial‑of‑service flaw that activates when Spring Data Web Support is enabled and a controller method uses @ProjectedPayload. An attacker can trigger the bug by sending a deliberately crafted HTTP request that causes the framework to allocate large amounts of memory, exhausting system resources and rendering the application unresponsive. The weakness is an uncontrolled resource consumption issue (CWE‑400) that compromises availability to the affected endpoints.

All versions of Spring Data Commons from 2.7.0 through 2.7.19, 3.0.0 through 3.0.15, 3.1.0 through 3.1.14, 3.2.0 through 3.2.15, 3.3.0 through 3.3.16, 3.4.0 through 3.4.14, 3.5.0 through 3.5.11, and 4.0.0 through 4.0.5 are susceptible. The vendor product affected is Spring Data Commons, a component of the Spring Framework.

The CVSS base score of 5.9 indicates a moderate severity. No EPSS information is available, and the vulnerability has not been listed in CISA KEV, suggesting that known exploitation is currently low or absent. Attackers would need to be able to send HTTP requests to the vulnerable endpoint and exploit the framework's lack of bounds checking during data binding; the attack does not require elevated privileges. While the exploitation requires the presence of Spring Data Web Support and @ProjectedPayload, the moderate CVSS and absence of known exploit activity mean that organizations using the affected code should prioritize applying a patch or reconfiguring the application.