Description
Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path).

Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Published: 2026-06-09
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to supply a regular expression that is processed by AntPathMatcher, leading to a Regular Expression Denial of Service. The malicious pattern can cause excessive CPU consumption and eventual application unavailability, classified as a denial of service weakness (CWE-1333).

Affected Systems

Spring Framework is affected in versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. An attacker would need the ability to supply a crafted pattern to methods such as match, matchStart, or extractUriTemplateVariables, which may be achieved through input exposed via URLs or API endpoints. If exploited, the attacker could cause high CPU usage and potential service interruption, affecting application availability.

Generated by OpenCVE AI on June 9, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Framework to a fixed release (7.0.8 or later, 6.2.19 or later, 6.1.28 or later, or 5.3.49 or later).
  • If an upgrade cannot be performed immediately, sanitize or validate any user‑supplied patterns before passing them to AntPathMatcher, ensuring that regular expressions are well‑formed and do not include excessive backtracking constructs.
  • Continuously monitor application performance metrics for sudden spikes in CPU usage or process hangs that could indicate an ongoing ReDoS attack.

Generated by OpenCVE AI on June 9, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41848 cve-icon cve-icon
History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Framework
Vendors & Products Spring
Spring spring Framework

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path). Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Title Spring Framework Denial of Service via AntPathMatcher
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Spring Spring Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T13:34:15.339Z

Reserved: 2026-04-22T06:22:08.200Z

Link: CVE-2026-41848

cve-icon Vulnrichment

Updated: 2026-06-09T13:34:12.263Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T05:16:36.940

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-41848

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T05:45:26Z

Weaknesses