CVE Catalog

CVE-2026-41007

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile - higher than 22% of all known CVEs

Summary

The vulnerability in Spring HATEOAS involves an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings, potentially leading to memory exhaustion or DoS.

Risk Assessment

An attacker can send malicious requests with unique strings, causing uncontrolled growth of the cache and potentially leading to denial of service (DoS) by exhausting available memory.

Recommendation

Immediately update Spring HATEOAS to version 1.5.7, 2.3.5, 2.4.2, 2.5.3, or 3.0.4, depending on the branch used. If an update is not possible, consider restricting access to the application or applying temporary WAF rules.

Original NVD description (English source)

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS