CVE-2026-41007

Vulnerability

Spring HATEOAS versions 1.5.0 through 1.5.6, 2.3.0 through 2.3.4, 2.4.0 through 2.4.1, 2.5.0 through 2.5.2, and 3.0.0 through 3.0.3 maintain an unbounded static cache of StringLinkRelation instances. This cache is keyed on attacker-supplied strings, making it vulnerable to exhaustion. Affected applications are those that deserialize attacker-supplied hypermedia, for example via a @RequestBody bound to a RepresentationModel, EntityModel, or CollectionModel, or by calling Links.parse() or Link.valueOf() on a client-supplied Link header [1].

Exploitation

An attacker can exploit this vulnerability by providing specially crafted, attacker-supplied strings as hypermedia data. This can occur when deserializing hypermedia via a @RequestBody or by parsing a client-supplied Link header. No specific authentication or user interaction is required, as the vulnerability can be triggered remotely through network requests [1].

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service condition due to heap exhaustion. The unbounded cache, filled with attacker-controlled data, will consume all available memory, rendering the application unresponsive and unavailable to legitimate users [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions: 1.5.7 (Enterprise Support Only), 2.3.5 (Enterprise Support Only), 2.4.2 (Enterprise Support Only), 2.5.3 (OSS), or 3.0.4 (OSS). Versions that are no longer supported are also affected. No other workarounds are specified in the available references [1].