Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-41695: Denial of Service in Spring Data Commons Property Path Resolution
Description
Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution.
Specifically, an application is vulnerable when all of the following are true:
- attacker-controlled input is used as a property path string for path resolution
- the consuming module or application exposes this resolution to untrusted callers (for example, when using Spring Data REST)
- the targeted domain types contain recursive or sufficiently deeply nested property graphs, or attackers can submit a large number of unique invalid paths
Spring Data Commons does not directly expose this API to untrusted callers; exposure depends on the consuming Spring Data module or application code.
Affected Spring Products and Versions
Spring Data Commons:
- 4.0.0 - 4.0.5
- 3.5.0 - 3.5.11
- 3.4.0 - 3.4.14
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 4.0.x | 4.0.6 | OSS |
| 3.5.x | 3.5.12 | OSS |
| 3.4.x | 3.4.15 | Enterprise Support Only |
No other mitigation steps are necessary.
References
History
- 2026-06-09: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all