CVE Vulnerabilities

CVE-2026-40989

Uncontrolled Recursion

Published: Jun 01, 2026 | Modified: Jun 17, 2026
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Ubuntu
root.io logo minimus.io logo echo.ai logo

Under infinite recursion in the routing layer, request-handling can cause OOM error.

Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.

Weakness

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Software

NameVendorStart VersionEnd Version
Spring_cloud_functionVmware3.2.0 (including)3.2.16 (excluding)
Spring_cloud_functionVmware4.1.0 (including)4.1.10 (excluding)
Spring_cloud_functionVmware4.2.0 (including)4.2.6 (excluding)
Spring_cloud_functionVmware4.3.0 (including)4.3.3 (excluding)
Spring_cloud_functionVmware5.0.0 (including)5.0.2 (excluding)

Potential Mitigations

References