Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-41007: Spring HATEOAS heap exhaustion through unbounded internal caching
Description
Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings.
Affected applications are those that deserialize attacker-supplied hypermedia, for example via a @RequestBody bound to a RepresentationModel, EntityModel, or CollectionModel, or by calling Links.parse() / Link.valueOf() on a client-supplied Link header.
Affected Spring Products and Versions
Spring HATEOAS:
- 1.5.0 - 1.5.6
- 2.3.0 - 2.3.4
- 2.4.0 - 2.4.1
- 2.5.0 - 2.5.2
- 3.0.0 - 3.0.3
Versions that are no longer supported are also affected.
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 1.5.x | 1.5.7 | Enterprise Support Only |
| 2.3.x | 2.3.5 | Enterprise Support Only |
| 2.4.x | 2.4.2 | Enterprise Support Only |
| 2.5.x | 2.5.3 | OSS |
| 3.0.x | 3.0.4 | OSS |
References
History
- 2026-06-02: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all