A code injection vulnerability where attackers inject Spring Expression Language (SpEL) expressions to access Spring beans and execute arbitrary code.
SpEL Injection is a code injection vulnerability targeting applications using Spring Expression Language (SpEL). When user input is evaluated as SpEL expressions, attackers can access Spring beans, invoke methods, and execute arbitrary code.
SpEL is a powerful expression language in Spring Framework that supports querying and manipulating objects at runtime. If user input is parsed as SpEL without sanitization, attackers can leverage its capabilities to execute code.
// Vulnerable: parsing user input as SpEL
ExpressionParser parser = new SpelExpressionParser();
Expression exp = parser.parseExpression(userInput);
Object result = exp.getValue();
// Safe: use SimpleEvaluationContext to restrict capabilities
EvaluationContext context = SimpleEvaluationContext.forReadOnlyDataBinding().build();
Object result = exp.getValue(context);# Execute system command
T(java.lang.Runtime).getRuntime().exec('whoami')
# Using ProcessBuilder
new java.lang.ProcessBuilder({'cat','/etc/passwd'}).start()
# Read file contents
new java.util.Scanner(new java.io.File('/etc/passwd')).useDelimiter('\\Z').next()
# Access environment variables
T(java.lang.System).getenv('PATH')