Description

Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability.

Specifically, an application is vulnerable when the following condition is met:

• The application accepts and evaluates untrusted or user-controlled SpEL expressions.

Affected Spring Products and Versions

Spring Framework:

• 7.0.0 - 7.0.7
• 6.2.0 - 6.2.18
• 6.1.0 - 6.1.27
• 5.3.0 - 5.3.48

Versions that are no longer supported are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Fixed versions of the Spring Expression Language track the number of operations performed during expression evaluation. To mitigate potential impact on legitimate applications, the new maxOperations limit (default: 10,000) can be customized. If exceeded, applications will throw a SpelEvaluationException (EL1085E). If necessary, developers can adjust this limit locally via SpelParserConfiguration or globally using the spring.expression.maxOperations JVM system property or Spring property. Care should be taken when increasing this value, as higher limits reduce the effectiveness of the mitigation against resource exhaustion.

Credit

This issue was identified and responsibly reported by @wo1enca1ca1.

References

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
• https://cwe.mitre.org/data/definitions/770.html

History

• 2026-06-08: Initial vulnerability report published.