Introduction
A newly disclosed denial of service vulnerability in Spring Framework allows remote, unauthenticated attackers to exhaust an application's HTTP connection pool by sending crafted requests that trigger slow static resource resolution. With Spring Framework powering 60% of Java developers' main applications according to Snyk's ecosystem report, the potential blast radius of CVE-2026-41842 is significant, even though exploitation requires a specific configuration precondition: versioned resources support must be enabled.
This vulnerability is the fourth DoS issue affecting Spring MVC and WebFlux static resource handling disclosed in 2026, following three related CVEs (CVE-2026-22740, CVE-2026-22741, CVE-2026-22745) published in April. The pattern suggests that static resource serving in Spring's web stack has become an emerging and recurring attack surface that warrants holistic review.
Technical Information
Root Cause and Classification
CVE-2026-41842 is classified under CWE-400: Uncontrolled Resource Consumption, a weakness in which a product does not properly control the number or size of resources it allocates, leading to performance degradation and denial of service conditions. The CVSS v3.1 score is 7.5 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network reachability, low attack complexity, no required privileges or user interaction, and high availability impact with no confidentiality or integrity impact.
The vulnerability resides in the static resource resolution layer shared by both Spring MVC and Spring WebFlux. When versioned resource resolution is enabled (via the VersionResourceResolver in the resource chain), the framework performs additional processing to resolve resource paths containing version identifiers. Maliciously crafted requests can exploit this processing to cause pathologically slow filesystem resolution operations.
Preconditions for Exploitation
An application is vulnerable only when all three of the following conditions are simultaneously true:
- The application uses Spring MVC or Spring WebFlux
- It serves static resources from the file system
- It has configured versioned resources support (the
VersionResourceResolver)
Organizations not using versioned resource resolution are not affected by this vulnerability.
Attack Flow
The attack follows a slow loris class pattern:
- The attacker identifies a Spring MVC or WebFlux application that serves versioned static resources from the filesystem.
- The attacker crafts malicious HTTP requests targeting the versioned resource resolution path. These requests are designed to trigger slow filesystem resolution operations within the
VersionResourceResolver. - Each malicious request holds its HTTP connection open for an extended period while the slow resolution operation completes.
- The attacker opens many such connections concurrently, gradually consuming the application's available connection pool.
- Once the connection pool is exhausted, the application can no longer accept new connections from legitimate users, resulting in a denial of service condition.
The Spring advisory describes this as: "an attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use, potentially leading to Denial of Service in the application."
This attack pattern is consistent with what HeroDevs characterized as a "textbook slow loris class DoS" when analyzing the closely related CVE-2026-22745, which shares an identical affected version footprint. The key distinction for CVE-2026-41842 is that it specifically targets the versioned resource resolution path, whereas the April 2026 CVEs targeted multipart request handling (CVE-2026-22740), cache poisoning via encoded resources (CVE-2026-22741), and Windows specific static resource resolution (CVE-2026-22745).
Discovery
The Spring advisory states that "this issue was discovered internally" by the Spring team, indicating no external researcher or threat actor reported it prior to the coordinated disclosure on June 8, 2026.
Patch Information
The Spring team officially patched CVE-2026-41842 in a coordinated release published on June 8, 2026, alongside 17 other CVEs addressed in the same batch. The fix was shipped in the following versions:
| Affected Version Line | Fix Version | Availability |
|---|---|---|
| 7.0.x (7.0.0 through 7.0.7) | 7.0.8 | OSS (open source) |
| 7.0.x | 7.0.7.1 | Commercial |
| 6.2.x (6.2.0 through 6.2.18) | 6.2.19 | OSS (open source) |
| 6.2.x | 6.2.18.1 | Commercial |
| 6.1.x (6.1.0 through 6.1.27) | 6.1.28 | Commercial only |
| 5.3.x (5.3.0 through 5.3.48) | 5.3.49 | Commercial only |
The patch corrects how versioned resource requests are resolved, preventing the pathological slow path that attackers could trigger to pin connections. The advisory from VMware (Spring's CNA) states that upgrading is the sole remediation and that "no further mitigation steps are necessary."
Commercial releases are available through a Tanzu Spring commercial subscription.
Important Timeline Consideration
Version 6.2.19 is likely the last open source release of the 6.2.x line, as that branch reaches OSS end of life on June 30, 2026. Teams currently on 6.2.x should treat this upgrade as an immediate measure while planning their migration path to the 7.0.x line. For organizations still running Spring Framework 6.1.x or 5.3.x (both past their OSS end of life dates), there is no free upstream patch. The only remediation paths are upgrading to a supported OSS line (6.2.x or 7.0.x) or obtaining commercial support.
Interim Defensive Measures
For organizations that cannot immediately upgrade, the following infrastructure level mitigations may provide some protection given the slow loris nature of the attack:
- HTTP connection timeout enforcement at the reverse proxy or load balancer layer
- Connection rate limiting per source IP
- Monitoring for anomalous connection counts or prolonged connection durations
- Evaluating whether versioned resources support can be temporarily disabled (noting this may break front end caching strategies)
These measures are not specifically recommended by the Spring advisory but align with established defenses against slow loris class DoS attacks.
Affected Systems and Versions
The vulnerability affects Spring Framework across four release trains:
- Spring Framework 7.0.0 through 7.0.7
- Spring Framework 6.2.0 through 6.2.18
- Spring Framework 6.1.0 through 6.1.27
- Spring Framework 5.3.0 through 5.3.48
The advisory also notes that "versions that are no longer supported are also affected."
The vulnerable configuration requires all three of the following:
- Spring MVC or Spring WebFlux is in use
- Static resources are served from the file system
- Versioned resources support is configured (via
VersionResourceResolver)
Applications that do not meet all three conditions are not vulnerable.
Vendor Security History
Spring Framework has a well documented history of security vulnerabilities, with the Spring security advisories page listing 22 pages of advisories across the Spring portfolio. Notable entries relevant to understanding CVE-2026-41842 in context include:
| CVE | Description | Severity | Date |
|---|---|---|---|
| CVE-2022-22965 (Spring4Shell) | Remote Code Execution via classLoader manipulation | CRITICAL (CVSS 9.8) | March 2022 |
| CVE-2026-22740 | WebFlux multipart temp file DoS | HIGH | April 2026 |
| CVE-2026-22741 | Cache poisoning via encoded resources | LOW (CVSS 3.1) | April 2026 |
| CVE-2026-22745 | Windows specific static resource DoS | HIGH | April 2026 |
| CVE-2026-41842 | Versioned resources DoS (this CVE) | HIGH (CVSS 7.5) | June 2026 |
| CVE-2026-40983 | Micrometer gRPC server instrumentation DoS | HIGH | June 2026 |
| CVE-2026-40984 | Micrometer HTTP server instrumentation DoS | HIGH | June 2026 |
The Spring4Shell episode is the most significant historical precedent. It was a zero day RCE vulnerability that exploited classLoader manipulation in Spring MVC applications on JDK 9+. Proof of concept code circulated rapidly, and security organizations confirmed active scanning and exploitation within days of disclosure. While CVE-2026-41842 is a DoS rather than RCE, Spring's high profile status means exploit development tends to move quickly once details are public.
The clustering of four DoS vulnerabilities in Spring MVC/WebFlux static resource handling within a two month window (April and June 2026) suggests this area of the codebase warrants ongoing security scrutiny. Teams that applied the April patches and upgraded to 6.2.19 or 7.0.8 are already protected against this June CVE as well.
References
- CVE-2026-41842: Spring Framework Denial of Service via Versioned Resources
- CVE-2026-41842 Detail (NVD)
- Spring Framework 7.0.8 and 6.2.19 Available Now
- Spring Framework April 2026: 3 Web Stack DoS and Cache Poisoning CVEs (HeroDevs)
- CWE-400: Uncontrolled Resource Consumption
- Spring Dominates the Java Ecosystem (Snyk)
- Spring Security Advisories
- Spring4Shell: Zero Day Vulnerability in Spring Framework (Rapid7)
- CVE-2026-22741 Vulnerability Directory (HeroDevs)
- CISA Adds Three Known Exploited Vulnerabilities to Catalog (May 2026)
- 2026 Vulnerability Exploitation in the Wild (Proofpoint)



