Expression Language Injection

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.

Expression Language injection allows attackers to execute arbitrary code on the server by manipulating EL statements in JSP pages or templates. Attackers inject malicious EL expressions through user inputs that are incorporated into template processing without proper sanitization. Successful exploitation enables reading sensitive files, accessing environment variables, executing system commands, and achieving remote code execution. In Spring applications, attackers can access Java objects and invoke methods, potentially compromising the entire application server. The vulnerability is particularly severe because EL evaluation occurs server-side with the application’s full privileges.

Perform data validation best practice against untrusted input and to ensure that output encoding is applied when data arrives on the EL layer, so that no metacharacter is found by the interpreter within the user content before evaluation. The most obvious patterns to detect include ${ and #{, but it may be possible to encode or fragment this data.