DispatcherServlet swallows HttpMediaTypeException during content negotiation in Spring Boot 3.5.9

[connect-ankit]

Description
During request mapping, when the Accept header contains a large number of media types (e.g., 50+), Spring MVC throws HttpMediaTypeException while parsing the header inside content negotiation.

Spring Boot version
3.5.9

Spring Framework version
6.2.15 (managed by Boot 3.5.9)

However, this exception is swallowed inside ProducesRequestCondition#getMatchingCondition() and null is returned instead of propagating the exception.

Because of this:

@ExceptionHandler(HttpMediaTypeNotAcceptableException.class) is never invoked
@ControllerAdvice cannot catch the error
request mapping fails silently
This makes it impossible to handle malformed or oversized Accept headers using standard MVC exception handling.

Observed behaviour

When calling an endpoint with many Accept values:

Accept: application/type1,application/type2, ... (60+)

Internally:

MediaType.parseMediaTypes()
  → throws HttpMediaTypeException

ProducesRequestCondition#getMatchingCondition()
  catch (HttpMediaTypeException)
  → returns null

Result:

handler mapping fails

controller not executed

exception never surfaces
Expected behaviour

One of the following:

Propagate HttpMediaTypeException to the MVC exception chain so @ExceptionHandler can handle it

Return 406/400 directly from DispatcherServlet

Currently, there is no way to handle large/malformed Accept headers inside MVC.

Reproduction

Request

curl -X GET http://localhost:8080/test \
$(for i in $(seq 1 60); do printf ' -H "Accept: application/type%d"' "$i"; done)

Result

handler not invoked
exception handler not invoked
Root cause (code reference)
Inside Spring Framework:
ProducesRequestCondition#getMatchingCondition

try {
    acceptedMediaTypes = this.getAcceptedMediaTypes(request);
}
catch (HttpMediaTypeException ex) {
    return null; **//The exception is swallowed here**
}

This swallowing prevents the exception from propagating to controller-level handlers.

Workaround

Add a OncePerRequestFilter to validate the Accept header before it reaches MVC:

@component

public class AcceptHeaderLimitFilter extends OncePerRequestFilter {
    private static final int MAX_ACCEPT_VALUES = 50;
    @Override
    protected void doFilterInternal(
            HttpServletRequest request,
            HttpServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        String accept = request.getHeader("Accept");
        if (accept != null) {
            int count = 1;
            for (int i = 0; i < accept.length(); i++) {
                if (accept.charAt(i) == ',') count++;
            }
            if (count > MAX_ACCEPT_VALUES) {
                response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
                response.setContentType("application/json");
                response.getWriter().write(
                    "{\"error\":\"Bad Request\",\"error_description\":\"Too many Accept-header mime-types\"}"
                );
                return;
            }
        }
        chain.doFilter(request, response);
    }
}

Note: This workaround works but requires infrastructure-level filtering; ideally, MVC should allow handling this exception at the controller level.

Additional Notes

Behaviour became more visible after upgrading to Spring Boot 3.5.x (Spring Framework 6.2)

Is swallowing HttpMediaTypeException inside ProducesRequestCondition#getMatchingCondition() the intended design?

If yes, is there a recommended way to propagate it to @ExceptionHandler or customized the response without using a pre-filter?

[bclozel]

Could you share a minimal sample application that demonstrates the problem? Currently your description is mixing the description of the sample app, the Framework behavior and a workaround. We should start by reproducing what you are seeing.

In general, @ExceptionHandler annotated methods are meant to handle exceptions raised locally by a Controller method, or more globally (with a general @ControllerAdvice) for MVC exceptions. The fact that this is raised/swallowed during the matching process (building a ProducesRequestCondition happens while trying to find the relevant controller method) might be an important part of what is happening.

Please share a minimal sample so we can better discuss this issue.

[anaconda875]

Hi guys, I submited a PR: #36329.
Please let me know if any issue with the PR. I really want to contribue to the framework. This is my second contribution!!
Reason I make this PR

1. We have a "secret" constraint of 50 mime types

	public static <T extends MimeType> void sortBySpecificity(List<T> mimeTypes) {
		Assert.notNull(mimeTypes, "'mimeTypes' must not be null");
		if (mimeTypes.size() > 50) {
			throw new InvalidMimeTypeException(mimeTypes.toString(), "Too many elements");
		}

		bubbleSort(mimeTypes, MimeType::isLessSpecific);
	}

and we just throw a generic InvalidMimeTypeException, then HttpMediaTypeNotAcceptableException. It is unclear for the developers and end-users why my MediaType are NotAcceptable. Their fault? Or framework limitation? Or configuration error? Not easy to know!
2. The framework default to return 406 http status without any infomation, making the end-users/client can not know what is happenning behind
3. Adding new Exception will help the developers to write their exception handler to provide useful infomation to the end-users. E.g let them know they must not provide more than 50 mime types.

[anaconda875]

Also the minimal sample application that demonstrates the problem: https://github.com/anaconda875/spring-framework-issue-36300

curl --location --request GET 'localhost:8080' \
--header 'Accept: application/type0,application/type1,application/type2,application/type3,application/type4,application/type5,application/type6,application/type7,application/type8,application/type9,application/type10,application/type11,application/type12,application/type13,application/type14,application/type15,application/type16,application/type17,application/type18,application/type19,application/type20,application/type21,application/type22,application/type23,application/type24,application/type25,application/type26,application/type27,application/type28,application/type29,application/type30,application/type31,application/type32,application/type33,application/type34,application/type35,application/type36,application/type37,application/type38,application/type39,application/type40,application/type41,application/type42,application/type43,application/type44,application/type45,application/type46,application/type47,application/type48,application/type49,application/type50,application/type51,application/type52,application/type53,application/type54,application/type55,application/type56,application/type57,application/type58,application/type59,application/type60,application/type61,application/type62,application/type63,application/type64,application/type65,application/type66,application/type67,application/type68,application/type69'

[bclozel]

I don't think we should create a dedicated exception for that. The request is clearly invalid and can be considered as a denial of service. Returning a specific error message here would help attackers fingerprint Spring applications.

The media type error is a good compromise and I think we should keep it that way.