Home
MEDIUM: 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HDefault status
unaffected
4.0.0 (custom) before 4.0.6
affected
3.5.0 (custom) before 3.5.12
affected
3.4.0 (custom) before 3.4.15
affected
3.3.0 (custom) before 3.3.17
affected
3.2.0 (custom) before 3.2.16
affected
3.1.0 (custom) before 3.1.15
affected
3.0.0 (custom) before 3.0.16
affected
2.7.0 (custom) before 2.7.20
affected
Description
Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially crafted HTTP request that causes the application to allocate lots of memory. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Problem types
CWE-400: Uncontrolled Resource Consumption
Product status
4.0.0 (custom) before 4.0.6
3.5.0 (custom) before 3.5.12
3.4.0 (custom) before 3.4.15
3.3.0 (custom) before 3.3.17
3.2.0 (custom) before 3.2.16
3.1.0 (custom) before 3.1.15
3.0.0 (custom) before 3.0.16
2.7.0 (custom) before 2.7.20
References
spring.io/security/cve-2026-41721