Bug mirrors recent SpEL injection vulnerability that emerged alongside ‘SpringShell’ issue

Spring Data MongoDB hit by another critical SpEL injection flaw

UPDATED A critical SpEL injection vulnerability whose abuse leads to remote code execution (RCE) has been patched in Spring Data MongoDB, which provides object-document support and repositories for MongoDB.

Successful exploitation of the flaw (CVE-2022-22980), which has a near-maximum CVSS score of 9.8, “would allow an attacker to run arbitrary code with privileges inherited by the Spring MongoDB process,” Sam Quinn, senior security researcher at Trellix Threat Labs, told The Daily Swig.

First.org has ranked the flaw among the top 10 CVEs likely to be used in the wild over the last 30 days, added Quinn, and its ease-of-exploitation and the number of exploit proofs-of-concept available leads him to “suspect this vulnerability will continue to rise in popularity”.

SpELling it out

Spring Data MongoDB, which is part of VMWare’s Spring project, integrates with MongoDB, a document-oriented NoSQL database platform with more than 26,800 customers.

RELATED Enfilade: Open source tool flags ransomware and bot infections in MongoDB instances

SpEL – or Spring Expression Language – supports the querying and manipulating of object graphs at runtime.

A security advisory published by VMware reads: “A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.”

Said Quinn: “Given that the server is configured without sanitation of user input, the attacker simply needs to enter a malicious SpEL expression into the database search field to gain code execution.”

The application is apparently not vulnerable if the repository is configured to use a CQueryMethodEvaluationContextProvider that limits SpEL usage.

Updates, mitigations

This vulnerability was discovered by Zewei Zhang from NSFOCUS TIANJI Lab, who reported the issue on June 13, 2022. Spring released patched versions of Spring Data MongoDB, 3.4.1 and 3.3.5, only seven days later, on June 20.

The flaw affects versions 3.4.0, 3.3.0 to 3.3.4, as well as older, unsupported versions.

Read more of the latest Java security news

In lieu of updating the application, developers can protect themselves by rewriting query or aggregation declarations to use parameter references within the expression (for instance, using ‘[0]’ instead of ‘?0’).

Other mitigation steps include sanitizing parameters before calling the query method and reconfiguring the repository factory bean through a BeanPostProcessor with a limited QueryMethodEvaluationContextProvider.

Trellix Threat Labs has examined the security flaw further in its latest, June Bug Report.


The Spring project addressed another critical SpEL injection vulnerability only in March, a remote code execution (RCE) flaw impacting the Spring Cloud computing framework.

Within days another, even more dangerous RCE bug emerged in the Spring Framework’s Java-based Core module. Dubbed ‘Spring4Shell’, this issue arose from a bypass of a legacy bug patched in 2010.

Days later Microsoft and CISA were warning of ‘Spring4Shell’ exploitation in the wild, before it emerged that threat actors were leveraging the flaw as a vector for the spread of the Mirai botnet.

The Spring4Shell vulnerability involved a widespread attack surface, with “60% of Java developers relying on Spring for applications, said Quinn, but “the addition of MongoDB should significantly reduce the overall volume of the threat surface” with the latest vulnerability. “Furthermore, patches have been available from VMWare for weeks now, and many organisations have likely applied the fixes already.”

This article was updated with comment from Sam Quinn from Trellix Threat Labs on July 6.

YOU MIGHT ALSO LIKE Gitlab patches critical RCE bug in latest security release