CVE-2026-41842 - Spring versioned resource resolution DoS

Spring MVC and WebFlux applications can be vulnerable to request-driven denial of service when they serve static resources from the filesystem with versioned resource support enabled. Malicious requests can force slow resource resolution and hold connections open long enough to degrade or exhaust capacity.

This does not affect every Spring app. The vulnerable shape requires file-system-backed static resources plus versioned resource handling, not just a generic Spring Framework dependency.

When to use it

  • A Spring MVC or WebFlux app resolves an affected Spring Framework line and serves static assets through resource handlers.
  • ResourceHandlerRegistry, VersionResourceResolver, or equivalent config serves filesystem or mounted resources, not only classpath/CDN assets.
  • Public or semi-public endpoints can trigger versioned resource resolution.
  • You need a bounded PR or triage note that upgrades Spring and proves whether file-backed versioned resource handling is exposed.

Inputs

  • Maven/Gradle manifests, lockfiles, BOMs, container files, SBOMs, deployment manifests, and generated dependency reports.
  • MVC/WebFlux static resource configuration, resource locations, filesystem mounts, CDN/gateway rules, and public route exposure.
  • Capacity controls for request timeouts, rate limits, resource budgets, and slow-resolution handling.
  • Available dependency resolution, MVC/WebFlux tests, static resource tests, container build, SBOM, and dependency/security scan commands.

Affected versions

  • Vulnerable package: Spring Framework 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, 7.0.0-7.0.7
  • Fixed versions: 5.3.49, 6.1.28, 6.2.19, 7.0.8
  • Affected surface: Spring MVC or WebFlux static resource handlers serving filesystem resources with versioned resource support configured

Indicator-of-exposure

  • The repository uses ResourceHandlerRegistry, VersionResourceResolver, or equivalent Spring static resource versioning.
  • Static assets are served from the local filesystem or mounted storage rather than only classpath resources or a CDN.
  • Public or semi-public HTTP endpoints route to those handlers.
  • Capacity protections do not quickly absorb slow resource-resolution requests.

Quick checks:

rg -n "ResourceHandlerRegistry|VersionResourceResolver|addResourceHandlers|resourceChain|VersionStrategy|WebFluxConfigurer|WebMvcConfigurer|file:" .
mvn -q dependency:tree | rg "spring-webmvc|spring-webflux|spring-core"
gradle dependencies --configuration runtimeClasspath | rg "spring-webmvc|spring-webflux"

Windows:

rg -n "ResourceHandlerRegistry|VersionResourceResolver|addResourceHandlers|resourceChain|VersionStrategy|WebFluxConfigurer|WebMvcConfigurer|file:" .
mvn -q dependency:tree | rg "spring-webmvc|spring-webflux|spring-core"
gradle dependencies --configuration runtimeClasspath | rg "spring-webmvc|spring-webflux"

Remediation strategy

  • Upgrade Spring Framework to the fixed release for the maintained branch.
  • Confirm whether versioned resource support is still needed for filesystem resources; remove unnecessary file-backed versioning.
  • Add tests or config checks proving malicious paths do not cause unbounded or overly slow resolution.
  • If upgrade is blocked, reduce exposure by moving assets to classpath or CDN hosting, or by disabling versioned handling for file-backed resources.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-41842, a Spring MVC/WebFlux denial-of-service issue
in versioned file-system resource resolution. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Spring Framework, hardens
  affected resource handlers, adds safe regression checks, and documents
  operator actions, or
- TRIAGE.md if this repository does not control an affected static resource
  configuration.

## Rules

- Scope only CVE-2026-41842 and directly related versioned static resource
  handling.
- Treat filesystem paths, deployment mounts, and asset locations as sensitive.
- Do not run connection-flood or production stress tests.
- Do not remove static asset handling without a documented replacement.
- Do not auto-merge.

## Steps

1. Inventory Spring Framework dependencies, MVC/WebFlux config, static resource
   handler definitions, images, lockfiles, and SBOMs.
2. Determine which targets resolve vulnerable Spring Framework versions.
3. Identify resource handlers that both serve from the filesystem and enable
   versioned resource support.
4. If no affected configuration is controlled here, stop with `TRIAGE.md`
   listing checked files and the runtime owner if external.
5. Upgrade all controlled Spring Framework references to the fixed release.
6. Remove or narrow file-backed versioned resource handling where it is not
   required.
7. Add safe regression coverage that validates handler behavior on malformed or
   slow-resolving request shapes without performing a live DoS.
8. Add a PR body section named `CVE-2026-41842 operator actions` that states:
   - versions before and after;
   - which handlers served file-backed versioned resources;
   - any containment applied;
   - which validation commands passed.
9. Run available validation: dependency resolution, MVC/WebFlux tests,
   container build, and security scans.
10. Use PR title:
    `fix(sec): remediate CVE-2026-41842 in Spring Framework`.

## Stop conditions

- No affected file-backed versioned resource handler is controlled here.
- Verification would require live stress against shared or production systems.
- Upgrade requires an out-of-scope framework migration.
- Validation fails for unrelated pre-existing reasons; document them instead of
  broadening scope.

Verification - what the reviewer looks for

  • No controlled build resolves a vulnerable Spring Framework line.
  • File-backed versioned resource handlers are either patched or removed.
  • Tests or policy checks cover the risky handler configuration.

Output contract

  • Reviewer-ready PR upgrading Spring Framework to the fixed release for the maintained branch and refreshing build, image, SBOM, and deployment artifacts.
  • Evidence distinguishing affected file-backed versioned resource handlers from classpath-only or CDN-served assets.
  • Safe regression or policy checks for malformed or slow-resolving request shapes without live stress testing.
  • TRIAGE.md when no affected resource handler is controlled here or the required framework migration exceeds safe scope.

Watch for

  • Static assets served from mounted storage in production but classpath in local tests.
  • Upgrading framework jars while an image layer or deployment manifest still ships the old line.

References