Primary

Context

Spring Framework Denial-of-Service Vulnerability via Integer Overflow in SpEL Expressions

Vulnerability

Patched

A denial-of-service vulnerability has been identified in the Spring Framework, specifically in versions 5.3.0 through 5.3.48. This issue arises from an integer overflow in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this vulnerability by sending a specially crafted SpEL expression that causes excessive resource consumption, leading to a denial-of-service condition. Applications that accept and evaluate untrusted or user-controlled SpEL expressions are particularly vulnerable.

Impact

Exploitation of this vulnerability causes excessive resource consumption, leading to a denial-of-service condition where the application becomes unresponsive or unavailable.

Remediation

Users of affected versions should upgrade to Spring Framework 5.3.49. This version is available through the Spring Enterprise subscription.

Added: Jun 9, 2026, 6:14 AM

Updated: Jun 9, 2026, 6:14 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.7

remediation

7.7

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.7

remediation

7.7

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Framework Denial-of-Service Vulnerability via Integer Overflow in SpEL Expressions

Vulnerability

Impact

Remediation

Affected Products

Spring Framework

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating