CVE-2026-41711

Vulnerability

Applications using Spring Data Commons are vulnerable to a Denial of Service (DoS) attack resulting in a StackOverflowException when parsing Sort parameters. This vulnerability affects Spring Data Commons versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.16, 3.2.0 through 3.2.15, 3.1.0 through 3.1.14, 3.0.0 through 3.0.15, and 2.7.0 through 2.7.19. The issue can be triggered if an application exposes endpoints that accept Sort parameters from untrusted sources without sanitization, or if endpoints use parameters annotated with @ProjectedPayload or @QuerydslPredicate [1].

Exploitation

An attacker can exploit this vulnerability by sending crafted Sort parameters to an exposed endpoint. This requires the application to either explicitly expose an endpoint accepting Sort parameters from untrusted sources without proper sanitization, or to expose endpoints with parameters annotated with @ProjectedPayload or @QuerydslPredicate. Network access and no specific privileges are required, but user interaction is not needed [1].

Impact

Successful exploitation of this vulnerability leads to a Denial of Service (DoS) condition due to a StackOverflowException. This prevents the application from processing legitimate requests, rendering it unavailable to users. The scope of the impact is limited to the availability of the affected application [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions: 4.0.6, 3.5.12, 3.4.15, 3.3.17, or 2.7.20. Additionally, it is recommended to ensure that any untrusted input intended for sorting is adequately sanitized before being processed by the application. Some fixed versions are only available under Enterprise Support [1].