CVE-2026-41007
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk22th percentile - higher than 22% of all known CVEs
Summary
The vulnerability in Spring HATEOAS involves an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings, potentially leading to memory exhaustion or DoS.
Risk Assessment
An attacker can send malicious requests with unique strings, causing uncontrolled growth of the cache and potentially leading to denial of service (DoS) by exhausting available memory.
Recommendation
Immediately update Spring HATEOAS to version 1.5.7, 2.3.5, 2.4.2, 2.5.3, or 3.0.4, depending on the branch used. If an update is not possible, consider restricting access to the application or applying temporary WAF rules.
Original NVD description (English source)
Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

