Primary

Context

Spring Framework Cache Poisoning Vulnerability in Static Resource Handling

Vulnerability

Patched

A cache poisoning vulnerability has been identified in Spring MVC and Spring WebFlux applications when managing static resources. This issue arises under specific conditions: the application must be using either Spring MVC or WebFlux, have resource chain support configured with caching enabled, support encoded resource resolution, and have an empty resource cache when the attacker gains access. If these conditions are met, an attacker can send malicious requests that introduce incorrectly encoded resources into the cache, potentially disrupting the front-end application for users and causing a denial-of-service effect.

Impact

Exploitation of this vulnerability can lead to cache poisoning, causing a denial-of-service condition by disrupting the front-end application for users.

Remediation

Users should upgrade to Spring Framework versions 7.0.7, 6.2.18, 6.1.27 (commercial), or 5.3.48 (commercial), depending on their current version.

Added: Apr 29, 2026, 12:34 PM

Updated: Apr 29, 2026, 12:34 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.1

exploitability

4.3

remediation

7.7

relevance

7.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.1

exploitability

4.3

remediation

7.7

relevance

7.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Framework Cache Poisoning Vulnerability in Static Resource Handling

Vulnerability

Impact

Remediation

Affected Products

Spring Framework

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating