CVE Catalog

CVE-2026-41848

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

23th percentile — higher than 23% of all known CVEs

Summary

A ReDoS vulnerability in Spring Framework allows an attacker to perform a denial of service attack by providing a specially crafted pattern to AntPathMatcher methods: match, matchStart, and extractUriTemplateVariables.

Risk Assessment

An attacker can cause significant slowdown or complete halt of the application, leading to service unavailability for users.

Recommendation

Immediately update Spring Framework to version 7.0.8 or later, 6.2.19 or later, 6.1.28 or later, 5.3.49 or later.

Original NVD description (English source)

Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path). Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS