CVE-2026-41710

Vulnerability

An attacker can exhaust the application-wide stateful retry cache by crafting a large number of unique requests that trigger failures. This issue affects Spring Retry versions 2.0.0 through 2.0.12 and 1.3.0 through 1.3.4. It requires stateful retries to be explicitly enabled with @Retryable(stateful=true), attacker-controlled cache keys (possible with default key generator if method arguments are attacker-controlled), and the attacker must be able to cause invocations to fail without the same request being re-presented [1].

Exploitation

An attacker needs network access and the ability to trigger method invocations that fail. By repeatedly sending unique requests that result in failures, the attacker can fill the stateful retry cache. Since cache entries are only removed upon success or retry exhaustion, failed items that are abandoned remain in the cache permanently, preventing any further updates [1].

Impact

Once the stateful retry cache is full, it permanently rejects any further updates. This causes all subsequent stateful retries and circuit breakers within the application to fail, leading to a denial of service. This vulnerability does not affect stateless retries, which are the default behavior [1].

Mitigation

Users of affected versions should upgrade to Spring Retry 2.0.13 or later for the 2.0.x line, or 1.3.5 or later for the 1.3.x line. Specific fixed versions are 2.0.13 (OSS) and 2.0.12.1 (Enterprise Support Only) for the 2.0.x branch, and 1.3.5 (Enterprise Support Only) for the 1.3.x branch [1].