CVE-2026-41007

Analyzed Analyzed - Analysis Complete

Memory Leak in Spring HATEOAS

Publication date: 2026-06-09

Last updated on: 2026-06-27

Assigner: VMware

Description

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-27

Generated

2026-06-29

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-28

NVD

CVE-2026-41007

EUVD

EUVD-2026-35346

Affected Vendors & Products

Vendor	Product	Version / Range
vmware	spring_hateoas	From 1.5.0 (inc) to 1.5.7 (exc)
vmware	spring_hateoas	From 2.3.0 (inc) to 2.3.5 (exc)
vmware	spring_hateoas	From 2.4.0 (inc) to 2.4.2 (exc)
vmware	spring_hateoas	From 2.5.0 (inc) to 2.5.3 (exc)
vmware	spring_hateoas	From 3.0.0 (inc) to 3.0.4 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-770	The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-41007 is a vulnerability in Spring HATEOAS where the software maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings.

This means that when an application processes hypermedia input controlled by an attacker, such as deserializing data with RepresentationModel, EntityModel, or CollectionModel, or parsing client-supplied Link headers, the cache can grow without limit.

The unbounded caching can lead to heap exhaustion, causing the application to consume excessive memory and potentially crash or become unresponsive.

Impact Analysis

This vulnerability can impact you by causing heap exhaustion in your application, which means your system's memory can be overwhelmed due to the unbounded cache growth.

As a result, your application may crash, become unresponsive, or experience degraded performance, leading to denial of service.

This is especially relevant if your application processes attacker-controlled hypermedia inputs or client-supplied Link headers.

Mitigation Strategies

To mitigate the risk of this vulnerability, users should upgrade to the fixed versions of Spring HATEOAS.

Upgrade to version 1.5.7 (Enterprise Support Only)
Upgrade to version 2.3.5 (Enterprise Support Only)
Upgrade to version 2.4.2 (Enterprise Support Only)
Upgrade to version 2.5.3 (OSS)
Upgrade to version 3.0.4 (OSS)

Detection Guidance

This vulnerability arises from unbounded caching of attacker-supplied strings in Spring HATEOAS, which can lead to heap exhaustion. Detection involves monitoring applications using affected versions of Spring HATEOAS that deserialize attacker-controlled hypermedia or process client-supplied Link headers.

There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.

A practical approach to detection could include:

Checking the version of Spring HATEOAS in use to see if it falls within the affected ranges (1.5.0 to 1.5.6, 2.3.0 to 2.3.4, 2.4.0 to 2.4.1, 2.5.0 to 2.5.2, 3.0.0 to 3.0.3).
Monitoring application logs and heap usage for signs of abnormal memory consumption or heap exhaustion.
Reviewing application code or configurations that deserialize hypermedia representations or parse Link headers to identify potential exposure.

Hi! I’m here to help you understand CVE-2026-41007. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70