CVE-2026-22745 (GCVE-0-2026-22745)
Vulnerability from cvelistv5 – Published: 2026-04-29 11:35 – Updated: 2026-04-29 13:23
VLAI?
Title
CVE-2026-22745 : Denial of service in static resource handling on Windows platforms
Summary
Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.
More precisely, an application can be vulnerable when all the following are true:
* the application is using Spring MVC or Spring WebFlux
* the application is serving static resources from the file system
* the application is running on a Windows platform
When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.
Severity ?
5.3 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| VMware | Spring Framework |
Affected:
7.0.0 , < 7.0.7
(OSS)
Affected: 6.2.0 , < 6.2.18 (OSS) Affected: 6.1.0 , < 6.1.27 (COMMERCIAL) Affected: 5.3.0 , < 5.3.48 (COMMERCIAL) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22745",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T13:23:48.299313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T13:23:54.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Spring Framework",
"vendor": "VMware",
"versions": [
{
"lessThan": "7.0.7",
"status": "affected",
"version": "7.0.0",
"versionType": "OSS"
},
{
"lessThan": "6.2.18",
"status": "affected",
"version": "6.2.0",
"versionType": "OSS"
},
{
"lessThan": "6.1.27",
"status": "affected",
"version": "6.1.0",
"versionType": "COMMERCIAL"
},
{
"lessThan": "5.3.48",
"status": "affected",
"version": "5.3.0",
"versionType": "COMMERCIAL"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bocheng Xiang ( @crispr ) from Fudan University."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSpring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eMore precisely, an application can be vulnerable when all the following are true:\u003c/p\u003e\u003cul\u003e\u003cli\u003ethe application is using Spring MVC or Spring WebFlux\u003c/li\u003e\u003cli\u003ethe application is serving static resources from the file system\u003c/li\u003e\u003cli\u003ethe application is running on a Windows platform\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWhen all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.\u003c/p\u003e"
}
],
"value": "Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.\n\n\nMore precisely, an application can be vulnerable when all the following are true:\n\n * the application is using Spring MVC or Spring WebFlux\n * the application is serving static resources from the file system\n * the application is running on a Windows platform\n\n\nWhen all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T11:38:09.237Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22745"
},
{
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\u0026version=3.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-22745 : Denial of service in static resource handling on Windows platforms",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22745",
"datePublished": "2026-04-29T11:35:21.947Z",
"dateReserved": "2026-01-09T06:55:03.990Z",
"dateUpdated": "2026-04-29T13:23:54.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-22745",
"date": "2026-05-06",
"epss": "0.00057",
"percentile": "0.17533"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-22745\",\"sourceIdentifier\":\"security@vmware.com\",\"published\":\"2026-04-29T12:16:18.620\",\"lastModified\":\"2026-05-04T14:50:16.040\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.\\n\\n\\nMore precisely, an application can be vulnerable when all the following are true:\\n\\n * the application is using Spring MVC or Spring WebFlux\\n * the application is serving static resources from the file system\\n * the application is running on a Windows platform\\n\\n\\nWhen all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.3.48\",\"matchCriteriaId\":\"23C9BFA0-DDE5-4E6D-A9E0-ECC236913DF3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.0\",\"versionEndExcluding\":\"6.1.27\",\"matchCriteriaId\":\"FC58C148-219F-4868-B9F0-E0AF4435EF79\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2.0\",\"versionEndExcluding\":\"6.2.18\",\"matchCriteriaId\":\"F317C66F-752D-40A9-AECF-5D1E51368AFE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.0.7\",\"matchCriteriaId\":\"78C5C95C-1A83-40E7-8C73-D5965E20BD06\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2572D17-1DE6-457B-99CC-64AFD54487EA\"}]}]}],\"references\":[{\"url\":\"https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\u0026version=3.1\",\"source\":\"security@vmware.com\",\"tags\":[\"US Government Resource\"]},{\"url\":\"https://spring.io/security/cve-2026-22745\",\"source\":\"security@vmware.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-22745\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-29T13:23:48.299313Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-29T13:23:51.873Z\"}}], \"cna\": {\"title\": \"CVE-2026-22745 : Denial of service in static resource handling on Windows platforms\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Bocheng Xiang ( @crispr ) from Fudan University.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"VMware\", \"product\": \"Spring Framework\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0.0\", \"lessThan\": \"7.0.7\", \"versionType\": \"OSS\"}, {\"status\": \"affected\", \"version\": \"6.2.0\", \"lessThan\": \"6.2.18\", \"versionType\": \"OSS\"}, {\"status\": \"affected\", \"version\": \"6.1.0\", \"lessThan\": \"6.1.27\", \"versionType\": \"COMMERCIAL\"}, {\"status\": \"affected\", \"version\": \"5.3.0\", \"lessThan\": \"5.3.48\", \"versionType\": \"COMMERCIAL\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://spring.io/security/cve-2026-22745\"}, {\"url\": \"https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\u0026version=3.1\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.\\n\\n\\nMore precisely, an application can be vulnerable when all the following are true:\\n\\n * the application is using Spring MVC or Spring WebFlux\\n * the application is serving static resources from the file system\\n * the application is running on a Windows platform\\n\\n\\nWhen all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eSpring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eMore precisely, an application can be vulnerable when all the following are true:\u003c/p\u003e\u003cul\u003e\u003cli\u003ethe application is using Spring MVC or Spring WebFlux\u003c/li\u003e\u003cli\u003ethe application is serving static resources from the file system\u003c/li\u003e\u003cli\u003ethe application is running on a Windows platform\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWhen all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"shortName\": \"vmware\", \"dateUpdated\": \"2026-04-29T11:38:09.237Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-22745\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-29T13:23:54.622Z\", \"dateReserved\": \"2026-01-09T06:55:03.990Z\", \"assignerOrgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"datePublished\": \"2026-04-29T11:35:21.947Z\", \"assignerShortName\": \"vmware\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…