Primary

Context

Spring Framework Regular Expression Denial-of-Service Vulnerability in AntPathMatcher

Vulnerability

Patched

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in Spring Framework's AntPathMatcher. This issue arises when an attacker can supply a pattern that is then used by methods such as match, matchStart, or extractUriTemplateVariables. The vulnerability is present in Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48, including versions no longer supported.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where the application becomes unresponsive or slow due to excessive processing of regular expressions.

Remediation

Users should upgrade to Spring Framework 7.0.8, 6.2.19, 6.1.28, or 5.3.49. Instructions for obtaining these versions are available on the Spring Enterprise website.

Added: Jun 9, 2026, 6:18 AM

Updated: Jun 9, 2026, 6:18 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.7

remediation

7.7

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.7

remediation

7.7

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Framework Regular Expression Denial-of-Service Vulnerability in AntPathMatcher

Vulnerability

Impact

Remediation

Affected Products

Spring Framework

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating