Detections
Analytics

Spring Framework 5.3.x < 5.3.48 / 6.1.x < 6.1.27 / 6.2.x < 6.2.18 / 7.0.x < 7.0.7 Multiple DoS

medium Nessus Plugin ID 314917

Synopsis

The Spring Framework install on the remote host is affected by multiple denial of service vulnerabilities.

Description

The version of Spring Framework installed on the remote host is 5.3.x prior to 5.3.48, 6.1.x prior to 6.1.27, 6.2.x prior to 6.2.18, or 7.0.x prior to 7.0.7. It is, therefore, affected by multiple vulnerabilities:

 - A WebFlux server application that processes multipart requests creates temp files for parts larger than 10K. Under some circumstances, temp files may remain not deleted after the request is fully processed, allowing an attacker to consume available disk space. (CVE-2026-22740)

 - Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources with caching and encoded resources resolution enabled. An attacker can poison the resource cache with resources using the wrong encoding, causing a denial of service. (CVE-2026-22741)

 - Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources from the file system on Windows platforms. An attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. (CVE-2026-22745)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Spring Framework version 5.3.48, 6.1.27, 6.2.18, or 7.0.7 or later.

See Also

https://spring.io/security/cve-2026-22740

https://spring.io/security/cve-2026-22741

http://www.nessus.org/u?781306b6

https://spring.io/security/cve-2026-22745

Plugin Details

Severity: Medium

ID: 314917

File Name: spring_framework_CVE-2026-22740.nasl

Version: 1.1

Type: Local

Agent: windows, macosx, unix

Family: Misc.

Published: 5/15/2026

Updated: 5/15/2026

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2026-22745

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS Score Source: CVE-2026-22740

Vulnerability Information

CPE: cpe:/a:pivotal_software:spring_framework, cpe:/a:vmware:spring_framework

Required KB Items: installed_sw/Spring Framework

Patch Publication Date: 4/17/2026

Vulnerability Publication Date: 4/17/2026

Reference Information

CVE: CVE-2026-22740, CVE-2026-22741, CVE-2026-22745

IAVA: 2026-A-0414