Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-29T11:35:21 spring-webflux: Spring MVC and Spring WebFlux: Denial of Service via slow static resource resolution on Windows 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CWE-770

A flaw was found in Spring MVC and Spring WebFlux applications. When an application is configured to serve static resources from the file system on a Windows platform, a remote attacker can send specially crafted requests that are slow to resolve. This can keep HTTP connections in use, leading to a Denial of Service (DoS) on the application.

Red Hat build of Apache Camel - HawtIO 4 Fix deferred spring-webflux Red Hat Fuse 7 Out of support scope spring-webflux Red Hat JBoss Enterprise Application Platform 7 Out of support scope spring-webflux Red Hat JBoss Enterprise Application Platform 8 Fix deferred opentelemetry-javaagent-spring-webflux-5.0 Red Hat JBoss Enterprise Application Platform 8 Fix deferred opentelemetry-spring-webflux-5.3 Red Hat JBoss Enterprise Application Platform 8 Fix deferred spring-webflux Red Hat JBoss Enterprise Application Platform Expansion Pack Fix deferred opentelemetry-javaagent-spring-webflux-5.0 Red Hat JBoss Enterprise Application Platform Expansion Pack Fix deferred opentelemetry-spring-webflux-5.3 Red Hat JBoss Enterprise Application Platform Expansion Pack Out of support scope spring-webflux https://www.cve.org/CVERecord?id=CVE-2026-22745 https://nvd.nist.gov/vuln/detail/CVE-2026-22745 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1 https://spring.io/security/cve-2026-22745