Integer Overflow or Wraparound Affecting org.springframework:spring-expression package, versions [5.3.0,6.0.0)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.26% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGSPRINGFRAMEWORK-17260840
  • published9 Jun 2026
  • disclosed8 Jun 2026
  • creditUnknown

Introduced: 8 Jun 2026

NewCVE-2026-41849  (opens in a new tab)
CWE-190  (opens in a new tab)

How to fix?

Upgrade org.springframework:spring-expression to version 6.0.0 or higher.

Overview

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via integer overflow during Spring Expression Language (SpEL) evaluation. An attacker can cause denial of service by supplying a specially crafted SpEL expression that triggers an integer overflow condition, leading to excessive resource consumption during expression processing and potentially rendering the application unavailable.

CVSS Base Scores

version 4.0
version 3.1