CVE-2026-41848 Overview
CVE-2026-41848 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Spring Framework's AntPathMatcher component. Applications become vulnerable when an attacker can supply a pattern that is then passed, directly or indirectly, to match(String pattern, String path), matchStart(String pattern, String path), or extractUriTemplateVariables(String pattern, String path). A crafted pattern triggers catastrophic backtracking, consuming CPU resources and degrading application availability. The flaw affects multiple supported branches of Spring Framework, a widely deployed Java application framework maintained by VMware.
Critical Impact
Remote, unauthenticated attackers can exhaust CPU resources on affected Spring Framework applications, causing denial of service conditions.
Affected Products
- Spring Framework 7.0.0 through 7.0.7
- Spring Framework 6.2.0 through 6.2.18 and 6.1.0 through 6.1.27
- Spring Framework 5.3.0 through 5.3.48
Discovery Timeline
- 2026-06-09 - CVE-2026-41848 published to NVD
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2026-41848
Vulnerability Analysis
The vulnerability resides in AntPathMatcher, the Spring Framework utility responsible for matching URL paths and arbitrary strings against Ant-style patterns. When the pattern itself originates from untrusted input, an attacker can craft a regular expression that causes catastrophic backtracking inside the matcher. The affected methods, match, matchStart, and extractUriTemplateVariables, each invoke pattern compilation and evaluation logic that does not bound execution time. Processing a single malicious request can tie up a request-handling thread indefinitely. Concurrent requests amplify the impact, leading to thread pool exhaustion and unresponsive service endpoints. The issue is tracked under [CWE-1333: Inefficient Regular Expression Complexity].
Root Cause
The root cause is the absence of complexity limits on patterns supplied to AntPathMatcher. The matcher translates Ant-style wildcards into Java regular expressions and evaluates them using the standard java.util.regex engine. That engine uses backtracking, which is exponential against adversarial inputs containing ambiguous quantifiers and alternations. Spring did not previously treat the pattern argument as untrusted, so applications that forward user-supplied strings into these methods inherit the ReDoS exposure.
Attack Vector
Exploitation requires no authentication and no user interaction. An attacker sends an HTTP request whose body, query parameter, or header value reaches an application code path that uses the request data as the pattern argument to AntPathMatcher. Typical at-risk patterns include custom security filters, dynamic routing logic, and access-control checks that compare user-controlled inputs against caller-supplied path expressions. Refer to the Spring Security Advisory CVE-2026-41848 for full technical context.
Detection Methods for CVE-2026-41848
Indicators of Compromise
- Sustained spikes in JVM CPU utilization tied to request-processing threads stuck inside org.springframework.util.AntPathMatcher.
- Thread dumps showing multiple threads blocked in java.util.regex.Pattern$* frames invoked from AntPathMatcher.doMatch.
- HTTP request latency increasing sharply for endpoints that accept path or pattern inputs from clients.
Detection Strategies
- Audit application code for any call to AntPathMatcher.match, matchStart, or extractUriTemplateVariables where the first argument is influenced by request data.
- Enable application performance monitoring (APM) traces on Spring controllers and filters to flag long-running regex evaluations.
- Correlate web server access logs with CPU and thread metrics to identify single requests that precede resource exhaustion.
Monitoring Recommendations
- Set alerts on JVM thread states when RUNNABLE threads inside regex frames exceed expected baselines.
- Track request duration percentiles per endpoint and alert on outliers consistent with backtracking behavior.
- Forward Spring and servlet container logs to a centralized analytics platform for rapid query during suspected incidents.
How to Mitigate CVE-2026-41848
Immediate Actions Required
- Upgrade Spring Framework to a fixed maintenance release on the 7.0.x, 6.2.x, 6.1.x, or 5.3.x branch as listed in the vendor advisory.
- Inventory every usage of AntPathMatcher in application and library code and confirm that pattern arguments originate from trusted sources.
- Reject or sanitize external input before it can be used as a pattern in path-matching APIs.
Patch Information
VMware has published remediation guidance and fixed versions in the Spring Security Advisory CVE-2026-41848. Upgrade to the latest supported patch release within each affected branch.
Workarounds
- Refactor application logic so that only developer-controlled, static patterns are passed to AntPathMatcher methods.
- Apply input length limits and character allowlists on any request data that must influence pattern selection.
- Deploy a web application firewall (WAF) rule to block requests containing pathological regex constructs such as nested quantifiers in path or query fields.
# Configuration example: enforce request size limits in Spring Boot to reduce ReDoS surface
server.max-http-request-header-size=8KB
spring.servlet.multipart.max-request-size=1MB
spring.mvc.async.request-timeout=5000
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
