Spring HATEOAS Heap Exhaustion Vulnerability via Unbounded Internal Caching

A heap exhaustion vulnerability has been identified in Spring HATEOAS versions 1.5.0 through 1.5.6, 2.3.0 through 2.3.4, 2.4.0 through 2.4.1, 2.5.0 through 2.5.2, and 3.0.0 through 3.0.3. This vulnerability arises from an unbounded static cache that stores StringLinkRelation instances, indexed by attacker-supplied strings. The issue affects applications that deserialize hypermedia from untrusted sources, such as through a @RequestBody linked to RepresentationModel, EntityModel, or CollectionModel, or by processing client-supplied Link headers.

Impact

Exploitation of this vulnerability leads to heap exhaustion, causing a denial-of-service condition where the application runs out of memory and can no longer function properly.

Remediation

Users should upgrade to Spring HATEOAS versions 1.5.7, 2.3.5, 2.4.2, 2.5.3, or 3.0.4, depending on their current version. Versions 1.5.7, 2.3.5, and 2.4.2 are available through Enterprise Support, while 2.5.3 and 3.0.4 are available as open-source.