CVE-2026-41842

Vulnerability

Spring MVC and Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources if the application serves static resources from the file system and has configured versioned resources support. Affected versions include Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 [1].

Exploitation

An attacker can exploit this vulnerability by sending malicious requests that are slow to resolve. These requests can keep HTTP connections in use, leading to a denial of service condition. No specific privileges or user interaction are mentioned as required for exploitation, suggesting it may be accessible over the network [1].

Impact

Successful exploitation of this vulnerability can lead to a Denial of Service (DoS) in the affected application. This means the application may become unresponsive or unavailable to legitimate users due to the exhaustion of resources caused by malicious requests [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions: Spring Framework 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the specific branch. No further mitigation steps are necessary beyond upgrading [1].