Description
Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially crafted HTTP request that causes the application to allocate lots of memory.

Affected versions:
Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Published: 2026-06-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Data Commons has a denial‑of‑service flaw that activates when Spring Data Web Support is enabled and a controller method uses @ProjectedPayload. An attacker can trigger the bug by sending a deliberately crafted HTTP request that causes the framework to allocate large amounts of memory, exhausting system resources and rendering the application unresponsive. The weakness is an uncontrolled resource consumption issue (CWE‑400) that compromises availability to the affected endpoints.

Affected Systems

All versions of Spring Data Commons from 2.7.0 through 2.7.19, 3.0.0 through 3.0.15, 3.1.0 through 3.1.14, 3.2.0 through 3.2.15, 3.3.0 through 3.3.16, 3.4.0 through 3.4.14, 3.5.0 through 3.5.11, and 4.0.0 through 4.0.5 are susceptible. The vendor product affected is Spring Data Commons, a component of the Spring Framework.

Risk and Exploitability

The CVSS base score of 5.9 indicates a moderate severity. No EPSS information is available, and the vulnerability has not been listed in CISA KEV, suggesting that known exploitation is currently low or absent. Attackers would need to be able to send HTTP requests to the vulnerable endpoint and exploit the framework's lack of bounds checking during data binding; the attack does not require elevated privileges. While the exploitation requires the presence of Spring Data Web Support and @ProjectedPayload, the moderate CVSS and absence of known exploit activity mean that organizations using the affected code should prioritize applying a patch or reconfiguring the application.

Generated by OpenCVE AI on June 10, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Data Commons to the newest released version that contains the fix.
  • If immediate upgrade is not possible, disable Spring Data Web Support or remove usage of @ProjectedPayload until the vulnerability is patched.
  • Monitor application performance for unexpected memory consumption and implement request throttling or rate limiting as a temporary measure.
  • Check the vendor’s official website or security advisories for updates or patches if not already applied.

Generated by OpenCVE AI on June 10, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Tue, 16 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Broadcom
Broadcom spring Data Commons
CPEs cpe:2.3:a:broadcom:spring_data_commons:*:*:*:*:*:*:*:*
Vendors & Products Broadcom
Broadcom spring Data Commons

Wed, 10 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Data Commons
Vendors & Products Spring
Spring spring Data Commons

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially crafted HTTP request that causes the application to allocate lots of memory. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Title Spring Data Commons Denial of Service via Data Binding
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Broadcom Spring Data Commons
Spring Spring Data Commons
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-30T21:43:34.945Z

Reserved: 2026-04-22T06:21:37.021Z

Link: CVE-2026-41721

cve-icon Vulnrichment

Updated: 2026-06-10T17:42:22.369Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T00:16:51.917

Modified: 2026-06-16T20:19:51.723

Link: CVE-2026-41721

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:21:38Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption