CVE-2026-41716

Vulnerability

Spring Data Commons versions 2.7.0 through 2.7.19, 3.3.0 through 3.3.16, 3.4.0 through 3.4.14, 3.5.0 through 3.5.11, and 4.0.0 through 4.0.5 are affected. The vulnerability lies in the internal property-lookup cache, which permanently retains attacker-supplied strings as cache keys. This occurs when Spring Data features forward HTTP-supplied strings to PropertyPath.from without prior filtering, specifically in Querydsl web bindings and @ProjectedPayload form-parameter binding [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by repeatedly sending requests containing attacker-supplied strings as property names. These strings are used as keys in the internal cache, which does not limit the number or size of keys it stores. The attacker's goal is to exhaust the application's heap memory by filling the cache with these keys [1].

Impact

Successful exploitation of this vulnerability leads to heap exhaustion, causing a denial-of-service (DoS) condition. The application becomes unresponsive and may crash due to the lack of available memory. This impact is achieved without requiring any specific privileges or authentication from the attacker [1].

Mitigation

Users should upgrade to the following fixed versions: Spring Data Commons 2.7.20, 3.3.17, 3.4.15, 3.5.12, or 4.0.6. Versions that are no longer supported are also affected. Specific release dates for these versions are not detailed in the provided references, but commercial releases are available for 2.7.x, 3.3.x, and 3.4.x, while OSS releases are available for 3.5.x and 4.0.x [1].