CVE-2026-41848

WSO2 Products impacted: no

Customer actions required: no


REPORTED VULNERABILITY

Spring Framework's AntPathMatcher is vulnerable to a Regular Expression Denial of Service (ReDoS) attack 1. A crafted Ant-style pattern is compiled into a backtracking java.util.regex.Pattern that can take super-linear time to evaluate against a suitable input, tying up the matching thread. An application is vulnerable if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following AntPathMatcher methods:

  • match(String pattern, String path)
  • matchStart(String pattern, String path)
  • extractUriTemplateVariables(String pattern, String path)

The decisive precondition is that the attacker must control the pattern argument — not the path being matched. The maintainer (VMware/Spring, the CNA) assigns an availability-only impact of Low (CVSS vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) 1; note that NVD records a higher base score of 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2. Affected Spring Framework versions are 5.3.0–5.3.48, 6.1.0–6.1.27, 6.2.0–6.2.18 and 7.0.0–7.0.7 (fixed in 5.3.49, 6.1.28, 6.2.19 and 7.0.8; the 5.3.x and 6.1.x fixes are commercial-only).

REPORTED PRODUCTS

  • WSO2 Identity Server : 5.10.0, 5.11.0, 6.0.0, 6.1.0, 7.0.0

The vulnerable component reported by the scanner is org.springframework:spring-core (which contains org.springframework.util.AntPathMatcher), bundled as a WSO2 rebuild of Spring Framework 5.3.39 (5.3.39-wso2v2) under the embedded Apache CXF (cxf3) JAX-RS runtime.

WSO2 JUSTIFICATION

In WSO2 Identity Server, Spring Framework is used solely as the internal dependency-injection container of the bundled Apache CXF (cxf3) JAX-RS runtime. The vulnerability is not exploitable because no attacker-controlled value can ever reach the pattern argument of AntPathMatcher. A bytecode-level review of the entire distribution established the following:

  • No WSO2 Identity Server code or other third-party library calls AntPathMatcher directly. The only places that reference it are Spring's own classes. The only indirect route is Spring's PathMatchingResourcePatternResolver, whose sole non-Spring callers in the runtime are two Apache CXF cxf-core classes — BusApplicationContext, which loads the fixed bus descriptors META-INF/cxf/cxf.xml and classpath*:META-INF/cxf/cxf.extension at startup, and SpringClasspathScanner, which scans classpath*:<basePackage>/**/*.class only when a jaxrs:server is declared with basePackages. These patterns are compile-time constants or developer-defined configuration values, evaluated only during startup/initialization; none is derived from request data. In this product every deployed jaxrs:server declares explicit serviceBeans and none uses basePackages, so the only pattern containing the ReDoS-prone ** wildcard is never even exercised.

  • The request side cannot supply the pattern. CXF JAX-RS performs request routing using its own URI template matcher (org.apache.cxf.jaxrs.model.URITemplate), not Spring's AntPathMatcher. Even on the indirect classpath-scanning path, an incoming request can at most influence the path/input being matched, never the pattern — and CVE-2026-41848 is exploitable only through an attacker-controlled pattern.

  • No user-pattern surface is exposed. Spring MVC (spring-webmvc) is not shipped, so the request-mapping path-matching path that would feed request-influenced patterns into AntPathMatcher does not exist in the product.

Because every pattern argument that reaches AntPathMatcher (directly or indirectly) is a developer-defined or framework-defined constant rather than untrusted input, the precondition for the ReDoS cannot be met and the vulnerable code path is unreachable.

Regarding remediation of the dependency itself: the open-source Spring Framework 5.3.x line reached end-of-life at 5.3.39, and the 5.3.x release that contains the fix for this CVE (5.3.49) is published under commercial support only and is not available on Maven Central. Migrating the cxf3 runtime to a fixed OSS release (6.2.19 / 7.0.8) is not viable either, as Spring 6.x/7.x requires Java 17+ and the Jakarta EE (jakarta.*) namespace — a major, breaking architectural change for the affected product version. Because the vulnerability is not exploitable in the product, this dependency upgrade is not warranted on the basis of CVE-2026-41848 alone.

CONCLUSION

  • The vulnerable AntPathMatcher code is present in the bundled Spring Framework (5.3.39-wso2v2, within the affected 5.3.x range and unpatched in OSS), but the exploit precondition does not exist in WSO2 Identity Server.
  • The AntPathMatcher ReDoS is triggered only by an attacker-controlled pattern argument.
  • In WSO2 Identity Server, every pattern reaching AntPathMatcher is a fixed framework/config constant evaluated at startup; no product or third-party code passes untrusted input as the pattern.
  • CXF JAX-RS request routing does not use AntPathMatcher, and spring-webmvc is not shipped, so no user-controlled pattern surface exists.

Based on this evidence, we conclude that this vulnerability does not pose a security risk to the impacted versions of WSO2 products listed above.

REFERENCES