|
Vulnerabilities
< Back

CVE-2026-41695

Updated on 09 Jun 2026

Severity

7.5 High severity

Details

CVSS score
7.5
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

SVG ImageDescription

Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution.

Specifically, an application is vulnerable when all of the following are true:

  • attacker-controlled input is used as a property path string for path resolution
  • the consuming module or application exposes this resolution to untrusted callers (for example, when using Spring Data REST)
  • the targeted domain types contain recursive or sufficiently deeply nested property graphs, or attackers can submit a large number of unique invalid paths

Spring Data Commons does not directly expose this API to untrusted callers; exposure depends on the consuming Spring Data module or application code.

SVG ImageAffected Spring Products and Versions

Spring Data Commons:

  • 4.0.0 - 4.0.5
  • 3.5.0 - 3.5.11
  • 3.4.0 - 3.4.14

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
4.0.x 4.0.6 OSS
3.5.x 3.5.12 OSS
3.4.x 3.4.15 Enterprise Support Only

No other mitigation steps are necessary.

SVG ImageReferences

SVG ImageHistory

  • 2026-06-09: Initial vulnerability report published.

Details

SVG ImageDescription

Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution.

Specifically, an application is vulnerable when all of the following are true:

  • attacker-controlled input is used as a property path string for path resolution
  • the consuming module or application exposes this resolution to untrusted callers (for example, when using Spring Data REST)
  • the targeted domain types contain recursive or sufficiently deeply nested property graphs, or attackers can submit a large number of unique invalid paths

Spring Data Commons does not directly expose this API to untrusted callers; exposure depends on the consuming Spring Data module or application code.

SVG ImageAffected Spring Products and Versions

Spring Data Commons:

  • 4.0.0 - 4.0.5
  • 3.5.0 - 3.5.11
  • 3.4.0 - 3.4.14

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
4.0.x 4.0.6 OSS
3.5.x 3.5.12 OSS
3.4.x 3.4.15 Enterprise Support Only

No other mitigation steps are necessary.

SVG ImageReferences

SVG ImageHistory

  • 2026-06-09: Initial vulnerability report published.