Patches WebFlux disk exhaustion and cache poisoning in Spring Framework
TL;DR — Spring MVC/WebFlux apps can be DoS’d via temp-file disk exhaustion, Windows static-resource request slowdown, or static-resource cache poisoning; inventory exposure and follow Spring’s upgrade guidance.
What happened
Spring Framework is a widely deployed Java application framework that underpins many Spring MVC and reactive Spring WebFlux web services. On April 20, 2026, CERT-FR published advisory CERTFR-2026-AVI-0457 covering three Spring Framework vulnerabilities (CVE-2026-22740, CVE-2026-22741, CVE-2026-22745), referencing Spring’s vendor bulletins dated April 17, 2026.
Based on Spring’s advisories:
- CVE-2026-22740 (Medium): In WebFlux multipart handling, temporary files for parts larger than 10KB may not be deleted under some circumstances, enabling an attacker to consume disk space.
- CVE-2026-22745 (Medium): In Spring MVC/WebFlux static resource resolution on Windows, an attacker can send slow-to-resolve static-resource requests that keep HTTP connections busy, leading to denial of service.
- CVE-2026-22741 (Low): Under specific configuration conditions (resource chain caching + encoded resource resolution), an attacker can poison the static resource cache with wrong encodings and cause a client-visible breakage / DoS of the front-end.
Why this matters: availability issues in foundational frameworks tend to have high blast radius—these bugs sit on common request paths (multipart upload and static asset serving) and can turn “normal” traffic into production-impacting exhaustion.
Who is impacted
- Services using Spring Framework in the affected lines (see version table below).
- WebFlux applications that accept multipart requests (higher risk for CVE-2026-22740, disk exhaustion).
- Spring MVC or WebFlux applications that serve static resources from the filesystem on Windows (risk for CVE-2026-22745).
- Applications using Spring MVC/WebFlux with resource chain support caching enabled and encoded resources resolution (risk for CVE-2026-22741), especially when the resource cache can be poisoned from empty.
| Spring Framework line | Affected versions (Spring advisory) | Fixed version (Spring advisory) | Notes |
|---|---|---|---|
7.0.x | 7.0.0 – 7.0.6 | 7.0.7 | OSS |
6.2.x | 6.2.0 – 6.2.17 | 6.2.18 | OSS |
6.1.x | 6.1.0 – 6.1.26 | 6.1.27 | Marked Commercial by Spring |
5.3.x | 5.3.0 – 5.3.47 | 5.3.48 | Marked Commercial by Spring |
What to do now
- Follow vendor remediation guidance from Spring’s advisories:
Users of affected versions should upgrade to the corresponding fixed version.
- Inventory where you run Spring MVC/WebFlux and identify which services terminate multipart uploads and which serve static assets from local disk.
- For Windows deployments serving static resources, prioritize scoping and patching paths that are likely to be internet-reachable (CDN bypasses, direct origin access, internal portals reachable via VPN).
- Until patched, increase operational visibility for potential DoS symptoms:
- disk utilization alerts on WebFlux nodes handling multipart requests
- connection/worker saturation metrics on services serving static resources
- anomalous request patterns targeting static asset paths
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.