CVE-2026-41849 - Spring SpEL integer overflow DoS
Spring Framework 5.3.x contains an integer overflow vulnerability in Spring Expression Language evaluation. Applications that accept untrusted SpEL expressions can be forced into excessive resource consumption, causing denial of service.
The key question is whether the repository evaluates user-controlled SpEL, not just whether Spring is present. Many applications are unaffected because they never expose SpEL as a data language to attackers.
When to use it
- A Spring Framework 5.3.x app resolves a vulnerable
spring-expressionor related Spring Framework line. - HTTP parameters, messages, workflow rules, tenant config, admin forms, templates, or other untrusted sources can reach SpEL parsing/evaluation.
- You need to distinguish internal
@Valueor trusted configuration use from attacker-controlled expression evaluation. - You need a bounded PR or triage note that upgrades Spring and constrains untrusted SpEL paths.
Inputs
- Maven/Gradle manifests, lockfiles, BOMs, container files, SBOMs, platform BOMs, and generated dependency reports.
- SpEL parser/evaluation call sites, rule engines, workflow config, admin expression editors, message processors, and template integrations.
- Evaluation context objects, allowed syntax, length limits, authentication, tenant boundaries, and owner-approved replacement mechanisms.
- Available dependency resolution, unit/rule tests, container build, SBOM, and dependency/security scan commands.
Affected versions
- Vulnerable package: Spring Framework
5.3.0-5.3.48 - Fixed version:
5.3.49 - Affected surface: application paths that evaluate untrusted or user-controlled SpEL expressions
Indicator-of-exposure
- The repository parses or evaluates SpEL from HTTP parameters, message payloads, templates, workflow rules, tenant config, or admin-entered expressions.
- The deployment still runs on Spring Framework 5.3.x.
- Existing controls assume SpEL input is trusted and do not constrain length, operators, or evaluation context.
Quick checks:
rg -n "SpelExpressionParser|ExpressionParser|parseExpression|StandardEvaluationContext|SimpleEvaluationContext|spring\\.expression|@Value\\(|ParserContext" .
mvn -q dependency:tree | rg "spring-expression|spring-core"
gradle dependencies --configuration runtimeClasspath | rg "spring-expression"
Windows:
rg -n "SpelExpressionParser|ExpressionParser|parseExpression|StandardEvaluationContext|SimpleEvaluationContext|spring\\.expression|@Value\\(|ParserContext" .
mvn -q dependency:tree | rg "spring-expression|spring-core"
gradle dependencies --configuration runtimeClasspath | rg "spring-expression"
Remediation strategy
- Upgrade Spring Framework 5.3.x to
5.3.49. - Remove or gate any untrusted SpEL evaluation paths where possible.
- Add tests that prove malicious expressions are rejected or safely bounded.
- If the repository cannot stop evaluating untrusted expressions immediately, reduce exposure by constraining who can supply them and by limiting allowed syntax and context objects.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-41849, a Spring SpEL integer-overflow denial of
service in Spring Framework 5.3.x. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Spring Framework, hardens any
untrusted SpEL paths, adds safe regression checks, and documents operator
actions, or
- TRIAGE.md if this repository does not control an affected untrusted SpEL
evaluation path.
## Rules
- Scope only CVE-2026-41849 and directly related SpEL parsing/evaluation code.
- Treat expressions, evaluation context data, secrets, and business inputs as
sensitive.
- Do not run exploit-like resource exhaustion tests against shared systems.
- Do not broaden scope into generic expression-language cleanup unrelated to the
CVE.
- Do not auto-merge.
## Steps
1. Inventory Spring Framework dependencies, SpEL usage sites, rule engines,
config paths, images, lockfiles, and SBOMs.
2. Determine whether any path evaluates untrusted or user-controlled SpEL.
3. Confirm whether affected targets resolve Spring Framework 5.3.x below 5.3.49.
4. If no affected path is controlled here, stop with `TRIAGE.md` listing
checked files and the runtime owner if external.
5. Upgrade all controlled Spring Framework references to `5.3.49`.
6. Where possible, remove untrusted SpEL evaluation or replace it with a safer
constrained mechanism.
7. Add safe regression tests that reject or bound hostile expressions without
performing real exhaustion attacks.
8. Add a PR body section named `CVE-2026-41849 operator actions` that states:
- versions before and after;
- which SpEL entry points were reviewed;
- whether any untrusted expression paths remain;
- which validation commands passed.
9. Run available validation: dependency resolution, unit tests, relevant rule
tests, container build, and security scans.
10. Use PR title:
`fix(sec): remediate CVE-2026-41849 in Spring Framework`.
## Stop conditions
- No affected untrusted SpEL path is controlled here.
- Verification would require deliberate resource exhaustion against live or
shared systems.
- Upgrade needs an out-of-scope platform migration.
- Validation fails for unrelated pre-existing reasons; document them instead of
broadening scope.
Verification - what the reviewer looks for
- No controlled target resolves Spring Framework 5.3.x below 5.3.49.
- Untrusted SpEL entry points are removed, constrained, or explicitly triaged.
- Tests cover malicious-expression rejection or safe bounds.
Output contract
- Reviewer-ready PR upgrading controlled Spring Framework 5.3.x targets to
5.3.49and refreshing lockfiles, platform BOMs, images, SBOMs, and reports. - Evidence identifying every SpEL entry point reviewed and whether it is trusted configuration or untrusted input.
- Safe tests or policy checks that reject or bound hostile expressions without resource-exhaustion payloads.
TRIAGE.mdwhen no affected untrusted SpEL path is controlled here or the upgrade requires an out-of-scope platform migration.
Watch for
- Assuming all
@Valueor internal configuration use is exploitable; the attack needs untrusted expression input. - Fixing application dependencies while container images or internal platform BOMs still pin 5.3.48.
Related recipes
- CVE-2026-41850 Spring SpEL algorithmic DoS
- CVE-2026-41842 Spring versioned resource DoS
- Vulnerable dependency remediation
References
- Spring advisory: https://spring.io/security/cve-2026-41849/
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41849