CVE-2026-41007
Received Received - Intake
Memory Leak in Spring HATEOAS

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VMware

Description
Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-41007
EUVD
EUVD-2026-35346
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
vmware spring_hateoas From 1.5.0 (inc) to 1.5.6 (inc)
vmware spring_hateoas From 2.3.0 (inc) to 2.3.4 (inc)
vmware spring_hateoas From 2.4.0 (inc) to 2.4.1 (inc)
vmware spring_hateoas From 2.5.0 (inc) to 2.5.2 (inc)
vmware spring_hateoas From 3.0.0 (inc) to 3.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41007 is a vulnerability in Spring HATEOAS where the software maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings.

This means that when an application processes hypermedia input controlled by an attacker, such as deserializing data with RepresentationModel, EntityModel, or CollectionModel, or parsing client-supplied Link headers, the cache can grow without limit.

The unbounded caching can lead to heap exhaustion, causing the application to consume excessive memory and potentially crash or become unresponsive.

Impact Analysis

This vulnerability can impact you by causing heap exhaustion in your application, which means your system's memory can be overwhelmed due to the unbounded cache growth.

As a result, your application may crash, become unresponsive, or experience degraded performance, leading to denial of service.

This is especially relevant if your application processes attacker-controlled hypermedia inputs or client-supplied Link headers.

Mitigation Strategies

To mitigate the risk of this vulnerability, users should upgrade to the fixed versions of Spring HATEOAS.

  • Upgrade to version 1.5.7 (Enterprise Support Only)
  • Upgrade to version 2.3.5 (Enterprise Support Only)
  • Upgrade to version 2.4.2 (Enterprise Support Only)
  • Upgrade to version 2.5.3 (OSS)
  • Upgrade to version 3.0.4 (OSS)
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41007. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart