SpEL Expression injection Affecting org.springframework.data:spring-data-mongodb Open this link in a new tab package, versions [,3.3.5) [3.4.0,3.4.1)

  • Exploit Maturity

    Proof of concept

  • Attack Complexity


  • Scope


  • Confidentiality


  • Integrity


  • Availability


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    21 Jun 2022

  • disclosed

    21 Jun 2022

  • credit

    Zewei Zhang

How to fix?

Upgrade org.springframework.data:spring-data-mongodb to version 3.3.5, 3.4.1 or higher.


Affected versions of this package are vulnerable to SpEL Expression injection when using @Query or @Aggregation-annotated query methods with SpEL expressions. Exploiting this vulnerability is possible if the query parameter placeholders contain unsanitized value binding.


Applications are not affected if one of the followings is true:

  1. The annotated repository query or aggregation method does not contain expressions

  2. The annotated repository query or aggregation method does not use the parameter placeholder syntax within the expression

  3. The user-supplied input is sanitized by the application

  4. The repository is configured to use a QueryMethodEvaluationContextProvider that limits SpEL usage


If upgrading to the fixed version is not possible, the following mitigation steps should be taken:

  1. Rewrite query or aggregation declarations to use parameter references (“[0]” instead of “?0“) within the expression.

  2. Sanitize parameters before calling the query method.

  3. Reconfigure the repository factory bean through a BeanPostProcessor with a limited QueryMethodEvaluationContextProvider.