Impact
Spring Data Commons versions before 1.13.11, 2.0.0 through 2.0.5, and older unsupported versions contain a property-path parser resource-exhaustion issue [S1][S2][S3]. When an affected Spring runtime exposes Spring Data REST endpoints or other property-path parsing paths to untrusted requests, crafted parameters can drive excessive CPU and memory use and interrupt service availability [S1][S2][S3].
Affected dependency evidence
The advisory affects the Maven package org.springframework.data:spring-data-commons in version ranges <1.13.11 and >=2.0.0 <2.0.6 [S3]. Spring's advisory also lists affected Spring Data REST release lines and notes that older unsupported versions are affected [S1].
Covered by FixVibe
FixVibe covers this issue in GitHub repository scans with the discovery.product-cve-2018-1274 check. The scanner reviews authorized repository dependency files such as pom.xml, build.gradle, and build.gradle.kts for Spring Data Commons versions that match the advisory range.
Findings are reported as version-based advisory evidence. FixVibe does not run the application, probe Spring Data REST endpoints, send crafted property-path parameters, stress CPU or memory, or claim live denial-of-service confirmation from dependency evidence alone.
Fix
Upgrade Spring Data Commons to 1.13.11, 2.0.6, or a later supported Spring Data release line [S1][S3]. Update the controlling Spring Boot parent, Spring Data BOM, direct dependency, Gradle platform, or dependency constraint, regenerate build metadata, rebuild the deployed JAR/WAR/container image, and verify the active dependency graph no longer resolves an affected version. Authentication and authorization can limit exposure while rollout completes, but the dependency/runtime upgrade is the primary fix [S1].
