CVE-2026-22745

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is serving static resources from the file system * the application is running on a Windows platform When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1	US Government Resource
https://spring.io/security/cve-2026-22745	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:vmware:spring_framework::::::::
	cpe:2.3:a:vmware:spring_framework::::::::
	cpe:2.3:a:vmware:spring_framework::::::::
	cpe:2.3:a:vmware:spring_framework::::::::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

04 May 2026, 14:50

Type	Values Removed	Values Added
References	~~() https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1 -~~	() https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1 - US Government Resource
References	~~() https://spring.io/security/cve-2026-22745 -~~	() https://spring.io/security/cve-2026-22745 - Vendor Advisory
First Time		Vmware spring Framework Vmware Microsoft Microsoft windows
CPE		cpe:2.3:a:vmware:spring_framework:::::::: cpe:2.3:o:microsoft:windows:-:::::::*

30 Apr 2026, 15:11

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-29 12:16

Updated : 2026-05-04 14:50

NVD link : CVE-2026-22745

Mitre link : CVE-2026-22745

CVE.ORG link : CVE-2026-22745

JSON object : View

Products Affected

vmware

spring_framework

microsoft

windows

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2026-22745", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@vmware.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-04-29T12:16:18.620", "references": [{"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1", "tags": ["US Government Resource"], "source": "security@vmware.com"}, {"url": "https://spring.io/security/cve-2026-22745", "tags": ["Vendor Advisory"], "source": "security@vmware.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@vmware.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.\n\n\nMore precisely, an application can be vulnerable when all the following are true:\n\n * the application is using Spring MVC or Spring WebFlux\n * the application is serving static resources from the file system\n * the application is running on a Windows platform\n\n\nWhen all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application."}], "lastModified": "2026-05-04T14:50:16.040", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "23C9BFA0-DDE5-4E6D-A9E0-ECC236913DF3", "versionEndExcluding": "5.3.48"}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC58C148-219F-4868-B9F0-E0AF4435EF79", "versionEndExcluding": "6.1.27", "versionStartIncluding": "6.1.0"}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F317C66F-752D-40A9-AECF-5D1E51368AFE", "versionEndExcluding": "6.2.18", "versionStartIncluding": "6.2.0"}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78C5C95C-1A83-40E7-8C73-D5965E20BD06", "versionEndExcluding": "7.0.7", "versionStartIncluding": "7.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@vmware.com"}