Spring Framework Denial-of-Service Vulnerability via Unbounded Cache Growth in SpEL Expressions

A denial-of-service vulnerability has been identified in Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. This vulnerability arises in applications that accept user-supplied Spring Expression Language (SpEL) expressions and cache the parsed expressions. When these conditions are met, an attacker can exploit the vulnerability by causing unbounded cache growth, leading to memory exhaustion and a denial-of-service condition after a high volume of processing, typically involving millions of evaluations.

Impact

Exploitation of this vulnerability causes memory exhaustion, leading to a denial-of-service condition where the application becomes unresponsive or unavailable.

Remediation

Users of affected versions should upgrade to the fixed version. The following upgrade options are available: - For Spring Framework 7.0.x, upgrade to 7.0.8 (OSS) or 7.0.7.1 (Commercial). - For Spring Framework 6.2.x, upgrade to 6.2.19 (OSS) or 6.2.18.1 (Commercial). - For Spring Framework 6.1.x, upgrade to 6.1.28 (Commercial). - For Spring Framework 5.3.x, upgrade to 5.3.49 (Commercial).