DoS Attack via Range Requests
Description
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Framework versions prior to 5.0.10, 4.3.20, and older 4.2.x generate excessive memory consumption during crafted HTTP range requests on static resources, leading to denial of service.
Vulnerability
The vulnerability resides in the ResourceHttpRequestHandler used to serve static resources and, starting in Spring Framework 5.0, in annotated controller methods that return an org.springframework.core.io.Resource. When handling HTTP range requests, the implementation does not limit the number of ranges or validate range overlap. A malicious actor can send a single request with an HTTP Range header containing a high number of ranges, or very wide overlapping ranges, triggering excessive resource consumption. Affected versions are Spring Framework 5.1, 5.0.x prior to 5.0.10, 4.3.x prior to 4.3.20, and older unsupported 4.2.x branches. Applications are vulnerable if they use spring-webmvc or spring-webflux and either register static resource handling (e.g., JS, CSS, images) or have an annotated controller returning a Resource. Spring Boot applications using spring-boot-starter-web or spring-boot-starter-webflux are vulnerable by default because they serve static resources out of the box [1].
Exploitation
The attacker requires only network access to the application and the ability to send HTTP requests to an endpoint that returns a static resource or a Resource object. No authentication is required if the resource endpoint is public. The attacker crafts an HTTP request with a Range header containing many byte-range sets, wide overlapping ranges, or both. The server processes these ranges, allocating memory to satisfy each sub-range, leading to rapid memory exhaustion. Tools like curl or any HTTP client can be used to send the malicious request [1][2].
Impact
Successful exploitation causes a denial of service (DoS) by exhausting server memory or CPU, potentially rendering the application unresponsive. The attack does not lead to information disclosure or remote code execution; the primary outcome is temporary unavailability of the service. The impact is limited to systems that satisfy the prerequisite configuration (static resource serving or Resource-returning controllers) [1].
Mitigation
The Spring team released fixes in versions 5.0.10 and 4.3.20 on October 10, 2018, and version 5.1.1 on November 16, 2018. Users should upgrade to the fixed versions immediately. Applications on unsupported 4.2.x branches must upgrade to a supported branch with the fix. No workaround is provided in the references for unpatched versions; blocking Range headers at the proxy or web server layer may reduce exposure but is not an official mitigation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework:spring-coreMaven | >= 5.1.0.RELEASE, < 5.1.1.RELEASE | 5.1.1.RELEASE |
org.springframework:spring-coreMaven | >= 5.0.0.RELEASE, < 5.0.10.RELEASE | 5.0.10.RELEASE |
org.springframework:spring-coreMaven | >= 4.2.0.RELEASE, < 4.3.20.RELEASE | 4.3.20.RELEASE |
Affected products
2- Pivotal/Spring frameworkv5Range: 5.1
Patches
2810fd123d5fdRelease version 4.3.20.RELEASE
1 file changed · +1 −1
gradle.properties+1 −1 modified@@ -1 +1 @@ -version=4.3.20.BUILD-SNAPSHOT +version=4.3.20.RELEASE
35d1a8b6b2afRelease version 5.0.10.RELEASE
1 file changed · +1 −1
gradle.properties+1 −1 modified@@ -1 +1 @@ -version=5.0.10.BUILD-SNAPSHOT +version=5.0.10.RELEASE
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
32- github.com/advisories/GHSA-ffvq-7w96-97p7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-15756ghsaADVISORY
- www.securityfocus.com/bid/105703ghsavdb-entryx_refsource_BIDWEB
- lists.apache.org/thread.html/339fd112517e4873695b5115b96acdddbfc8f83b10598528d37c7d12%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/339fd112517e4873695b5115b96acdddbfc8f83b10598528d37c7d12@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/77886fec378ee6064debb1efb6b464a4a0173b2ff0d151ed86d3a228%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/77886fec378ee6064debb1efb6b464a4a0173b2ff0d151ed86d3a228@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/7b156ee50ba3ecce87b33c06bf7a749d84ffee55e69bfb5eca88fcc3%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/7b156ee50ba3ecce87b33c06bf7a749d84ffee55e69bfb5eca88fcc3@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/8a1fe70534fc52ff5c9db5ac29c55657f802cbefd7e9d9850c7052bd%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/8a1fe70534fc52ff5c9db5ac29c55657f802cbefd7e9d9850c7052bd@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/a3071e11c6fbd593022074ec1b4693f6d948c2b02cfa4a5d854aed68%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/a3071e11c6fbd593022074ec1b4693f6d948c2b02cfa4a5d854aed68@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/bb354962cb51fff65740d5fb1bc2aac56af577c06244b57c36f98e4d%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/bb354962cb51fff65740d5fb1bc2aac56af577c06244b57c36f98e4d@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/d6a84f52db89804b0ad965f3ea2b24bb880edee29107a1c5069cc3dd%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/d6a84f52db89804b0ad965f3ea2b24bb880edee29107a1c5069cc3dd@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/efaa52b0aa67aae7cbd9e6ef96945387e422d7ce0e65434570a37b1d%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/efaa52b0aa67aae7cbd9e6ef96945387e422d7ce0e65434570a37b1d@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/f8905507a2c94af6b08b72d7be0c4b8c6660e585f00abfafeccc86bc%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/f8905507a2c94af6b08b72d7be0c4b8c6660e585f00abfafeccc86bc@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2021/04/msg00022.htmlghsamailing-listx_refsource_MLISTWEB
- pivotal.io/security/cve-2018-15756ghsax_refsource_CONFIRMWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.