Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-41711: Potential Denial of Service through crafted Sort Parameters
Description
Applications using Spring Data Commons may be vulnerable to a Denial of Service (DoS) attack leading to a
StackOverflowException when parsing Sort parameters.
This issue can occur if an application explicitly exposes an endpoint that accepts Sort parameters from untrusted sources and passes them on without performing sanitization or if the application exposes endpoints with parameters annotated with @ProjectedPayload or @QuerydslPredicate.
Spring Data Commons does not directly expose this API to untrusted callers; exposure depends on the consuming Spring Data module or application code.
Affected Spring Products and Versions
Spring Data Commons:
- 4.0.0 to 4.0.5
- 3.5.0 to 3.5.11
- 3.4.0 to 3.4.14
- 3.3.0 to 3.3.16
- 3.2.0 to 3.2.15
- 3.1.0 to 3.1.14
- 3.0.0 to 3.0.15
- 2.7.0 to 2.7.19
- older unsupported versions
Mitigation
Users of affected versions should upgrade to the corresponding fixed version. Ensure that any untrusted input intended for sorting is adequately sanitized before being processed.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 4.0.x | 4.0.6 | OSS |
| 3.5.x | 3.5.12 | OSS |
| 3.4.x | 3.4.15 | Enterprise Support Only |
| 3.3.x | 3.3.17 | Enterprise Support Only |
| 2.7.x | 2.7.20 | Enterprise Support Only |
References
History
- 2026-06-09: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all