Common Weakness Enumeration

CWE-917

Allowed

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Abstraction: Base · Status: Incomplete

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

170 vulnerabilities reference this CWE, most recent first.

GHSA-WXQC-PXW9-G2P8

Vulnerability from github – Published: 2023-04-13 21:30 – Updated: 2024-06-10 18:30
VLAI
Summary
Spring Framework vulnerable to denial of service
Details

In Spring Framework versions prior to 5.2.24.release+ , 5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial-of-service (DoS) condition.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework:spring-expression"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework:spring-expression"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.0"
            },
            {
              "fixed": "5.3.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework:spring-expression"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.24.RELEASE"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-20863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770",
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-17T17:19:53Z",
    "nvd_published_at": "2023-04-13T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Spring Framework versions prior to 5.2.24.release+ , 5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial-of-service (DoS) condition.",
  "id": "GHSA-wxqc-pxw9-g2p8",
  "modified": "2024-06-10T18:30:45Z",
  "published": "2023-04-13T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20863"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spring-projects/spring-framework"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240524-0015"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2023-20863"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spring Framework vulnerable to denial of service"
}

GHSA-X2W8-8Q96-QHGR

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

A addvsiinterfaceinfo expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-19T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A addvsiinterfaceinfo expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
  "id": "GHSA-x2w8-8q96-qhgr",
  "modified": "2022-05-24T17:31:14Z",
  "published": "2022-05-24T17:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24652"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X5GC-4H49-76JF

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

A tvxlanlegend expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-19T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A tvxlanlegend expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
  "id": "GHSA-x5gc-4h49-76jf",
  "modified": "2022-05-24T17:31:20Z",
  "published": "2022-05-24T17:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7185"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X626-C49H-FR9M

Vulnerability from github – Published: 2023-10-31 15:30 – Updated: 2023-10-31 23:27
VLAI
Details

Archive, check and export commands in Chef InSpec prior to 4.56.58 and 5.22.29 allow local command execution via maliciously crafted profile.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42658"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-31T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "Archive, check and export commands in Chef InSpec\nprior to 4.56.58 and 5.22.29 allow local command execution via maliciously\ncrafted profile.\n\n\n\n",
  "id": "GHSA-x626-c49h-fr9m",
  "modified": "2023-10-31T23:27:42Z",
  "published": "2023-10-31T15:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42658"
    },
    {
      "type": "WEB",
      "url": "https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Inspec-CVE-2023-42658"
    },
    {
      "type": "WEB",
      "url": "https://docs.chef.io/inspec/cli"
    },
    {
      "type": "WEB",
      "url": "https://docs.chef.io/release_notes_inspec"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X8RG-MPG5-78WG

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

A navigationto expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7163"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-19T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A navigationto expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
  "id": "GHSA-x8rg-mpg5-78wg",
  "modified": "2022-05-24T17:31:17Z",
  "published": "2022-05-24T17:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7163"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X943-VQMM-C5QP

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14
VLAI
Details

Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a user able to create Policy Sets can run arbitrary code by sending malicious Groovy scripts which will escape the configured Groovy sandbox. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32834"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-09T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a user able to create Policy Sets can run arbitrary code by sending malicious Groovy scripts which will escape the configured Groovy sandbox. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063.",
  "id": "GHSA-x943-vqmm-c5qp",
  "modified": "2022-05-24T19:14:08Z",
  "published": "2022-05-24T19:14:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32834"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2021-063-eclipse-keti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XG2J-3HJ6-PC24

Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-10 00:31
VLAI
Details

A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator.

Affected versions: Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-10T00:16:51Z",
    "severity": "MODERATE"
  },
  "details": "A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator.\n\nAffected versions:\nSpring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.",
  "id": "GHSA-xg2j-3hj6-pc24",
  "modified": "2026-06-10T00:31:52Z",
  "published": "2026-06-10T00:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41719"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2026-41719"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XGH5-GWQ5-RPX8

Vulnerability from github – Published: 2023-04-25 09:30 – Updated: 2023-05-05 20:35
VLAI
Summary
Arbitrary javascript injection in Apache Jena
Details

There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.jena:jena"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-22665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-25T19:47:40Z",
    "nvd_published_at": "2023-04-25T07:15:08Z",
    "severity": "MODERATE"
  },
  "details": "There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.",
  "id": "GHSA-xgh5-gwq5-rpx8",
  "modified": "2023-05-05T20:35:38Z",
  "published": "2023-04-25T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22665"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/jena"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/07/11/11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Arbitrary javascript injection in Apache Jena"
}

GHSA-XHV3-JG9X-X2JH

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

A faultinfo_content expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-19T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A faultinfo_content expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).",
  "id": "GHSA-xhv3-jg9x-x2jh",
  "modified": "2022-05-24T17:31:16Z",
  "published": "2022-05-24T17:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7156"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbnw04036en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XJW8-8C5C-9R79

Vulnerability from github – Published: 2026-04-15 19:46 – Updated: 2026-04-24 20:53
VLAI
Summary
Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf
Details

Impact

A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library's protections to achieve Server-Side Template Injection (SSTI).

Patches

This has been fixed in Thymeleaf 3.1.4.RELEASE.

Workarounds

No workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case.

Credits

Thanks to Dawid Bakaj (VIPentest.com) for responsible disclosure.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.3.RELEASE"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.thymeleaf:thymeleaf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4.RELEASE"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.3.RELEASE"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.thymeleaf:thymeleaf-spring5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4.RELEASE"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.3.RELEASE"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.thymeleaf:thymeleaf-spring6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4.RELEASE"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-15T19:46:23Z",
    "nvd_published_at": "2026-04-17T22:16:33Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nA security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of unauthorized expressions. If an application developer passes unvalidated user input directly to the template engine, an unauthenticated remote attacker can bypass the library\u0027s protections to achieve Server-Side Template Injection (SSTI).\n\n### Patches\nThis has been fixed in Thymeleaf 3.1.4.RELEASE.\n\n### Workarounds\nNo workaround is available beyond ensuring applications do not pass unvalidated user input directly to the template engine. Upgrading to 3.1.4.RELEASE is strongly recommended in any case.\n\n### Credits\nThanks to Dawid Bakaj (VIPentest.com) for responsible disclosure.",
  "id": "GHSA-xjw8-8c5c-9r79",
  "modified": "2026-04-24T20:53:26Z",
  "published": "2026-04-15T19:46:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thymeleaf/thymeleaf/security/advisories/GHSA-xjw8-8c5c-9r79"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40478"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thymeleaf/thymeleaf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf"
}

Mitigation
Architecture and Design

Avoid adding user-controlled data into an expression interpreter when possible.

Mitigation
Implementation
  • If user-controlled data must be added to an expression interpreter, one or more of the following should be performed:
  • Validate that the user input will not evaluate as an expression
  • Encode the user input in a way that ensures it is not evaluated as an expression
Mitigation
System Configuration Operation

The framework or tooling might allow the developer to disable or deactivate the processing of EL expressions, such as setting the isELIgnored attribute for a JSP page to "true".

No CAPEC attack patterns related to this CWE.