A Spring Boot 3.4 / Java 21 demo application that showcases a well-known Java concurrency pitfall: sharing a stateful CharsetDecoder across threads. The service provides two decoder implementations (vulnerable and hardened), toggled via configuration, so you can run the same load test against both and compare results live.

  • Deep-dive blog post — full analysis of the race condition, attack vector, and fix
  • Interactive demo — metrics dashboard, error evidence, and decode history from a real load test
  • Source code — Spring Boot service, load runner, and site generator