An integer overflow in the evaluation logic of the Spring Expression Language (SpEL) lets an attacker supply a crafted expression that forces the runtime to allocate excessive resources, leading to a denial of service. The flaw originates from the way arithmetic operations are performed during expression parsing, allowing the counter to wrap around and exceed its intended limits. When triggered, the application can consume disproportionate CPU or memory, resulting in stalled or terminated requests and degraded or lost service availability for all users.

Spring Framework versions 5.3.0 through 5.3.48 are affected. This includes all deployments of Spring Framework 5.3.x that have not been patched to 5.3.49 or later. The flaw is vendor‑specific to the Spring framework itself and does not involve third‑party libraries beyond those that process SpEL expressions provided by the application code.

The CVSS score of 7.5 indicates a high severity vulnerability with substantial impact on availability. Because the EPSS score is not available, the current exploitation probability cannot be quantified, but the lack of a KEV listing suggests no known widespread exploitation yet. The attack likely requires the attacker to supply a malicious SpEL expression through any interface that the application evaluates—such as REST endpoints, configuration files, or request parameters—making remote exploitation feasible where active input is parsed.