CVE-2020-14326
Description
A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jboss.resteasy:resteasy-bomMaven | < 4.5.6.Final | 4.5.6.Final |
Affected products
2- RESTEasy/RESTEasydescription
Patches
Vulnerability mechanics
Root cause
"The `RootNode` route-match cache was an unbounded `ConcurrentHashMap`, allowing an attacker to exhaust server CPU by sending many distinct requests that each create a new cache entry."
Attack vector
An attacker sends a large number of HTTP requests with distinct paths (or distinct media-type parameters) that each miss the cache, forcing `RootNode.match()` to compute and insert a new `MatchCache` entry. Because the cache was unbounded, the `ConcurrentHashMap` grows without limit, causing hash-collision overhead and increased CPU consumption for lookups and insertions. This leads to an uncontrolled resource consumption denial-of-service condition [CWE-400].
Affected code
The vulnerability is in `RootNode.java` (the `match` method and the unbounded `ConcurrentHashMap` cache) and `MatchCache.java`. The patch also adds configuration constants in `ResteasyContextParameters.java` and a regression test in `RootNodeCacheSizeTest.java`.
What the fix does
The patch introduces a configurable maximum cache size (`CACHE_SIZE`, default 2048) and a `CACHE` flag. When the cache reaches the limit, `cache.clear()` is called before inserting a new entry, preventing unbounded growth. Additionally, requests whose `Content-Type` header includes parameters are no longer cached at all, because parameterized media types would create many unique keys and defeat caching. The new configuration constants `RESTEASY_MATCH_CACHE_ENABLED` and `RESTEASY_MATCH_CACHE_SIZE` allow operators to tune the behavior via system properties.
Preconditions
- networkThe attacker must be able to send HTTP requests to a RESTEasy endpoint that triggers route matching (i.e., any RESTEasy-based REST service).
- configThe default cache is enabled (the patch shows the default is `true`).
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-37g7-8vjj-pjpjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-14326ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/resteasy/Resteasy/pull/2471ghsaWEB
- security.netapp.com/advisory/ntap-20210713-0001ghsaWEB
- security.netapp.com/advisory/ntap-20210713-0001/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.