CVE-2026-41848

Vulnerability

Applications using Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack. This occurs when an attacker provides a malicious pattern to the match(), matchStart(), or extractUriTemplateVariables() methods within the AntPathMatcher class [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted pattern to the affected AntPathMatcher methods. No specific privileges or user interaction are mentioned as required for exploitation, but the attacker must be able to supply the pattern to the application [1].

Impact

Successful exploitation of this vulnerability can lead to a Denial of Service (DoS) condition. This is due to the Regular Expression Denial of Service (ReDoS) nature of the attack, which can cause the application to consume excessive resources, rendering it unavailable [1].

Mitigation

Users of affected Spring Framework versions should upgrade to the following fixed versions: 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the branch. No further mitigation steps are necessary. Versions that are no longer supported are also affected [1].