Improper Neutralization of Special Elements in Data Query Logic Affecting org.springframework.data:spring-data-mongodb package, versions [,4.5.12)[5.0.0-M1,5.0.6)

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the @Query regex parameter binding when a bound parameter is placed inside a regular expression literal using \\Q...\\E quoting (e.g. @Query(\"{ name : /^\\\\Q?0\\\\E$/ }\")). The ParameterBindingJsonReader performs insufficient neutralization of the bound parameter value when it is substituted into the regex literal. Because escaping was applied via replaceAll (which interprets regex metacharacters in both the pattern and replacement), a bound value containing a \\E sequence (or other regex-significant characters) can terminate the intended \\Q literal-quoting context and break out into attacker-controlled regular expression syntax. This lets an attacker inject regex constructs into the query filter, manipulating the matching logic to bypass the intended filter or match documents outside the intended scope, which can lead to unauthorized data exposure.

Note:

This is only exploitable if the application exposes a repository query method whose @Query binds an untrusted parameter inside a regex literal.

• GitHub Commit
• Spring Security Advisory