A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

Specifically, an application is vulnerable when all of the following are true:

• A repository query method is annotated with @Query or @Aggregation
• The annotated query or aggregation value/pipeline contains SpEL parts using the parameter placeholder syntax within the expression
• The user supplied input is not sanitized by the application

An application is not vulnerable if any of the following is true:

• The annotated repository query or aggregation method does not contain expressions
• The annotated repository query or aggregation method does not use the parameter placeholder syntax within the expression
• The user supplied input is sanitized by the application
• The repository is configured to use a QueryMethodEvaluationContextProvider that limits SpEL usage

• Spring Data MongoDB
  • 3.4.0
  • 3.3.0 to 3.3.4
  • Older, unsupported versions are also affected

Users of affected versions should apply the following mitigation: 3.4.x users should upgrade to 3.4.1+. 3.3.x users should upgrade to 3.3.5+. No other steps are necessary. There are other mitigation steps for applications that cannot upgrade to the above versions.

Other mitigation steps:

• Rewrite query or aggregation declarations to use parameter references (“[0]” instead of “?0“) within the expression
• Sanitize parameters before calling the query method
• Reconfigure the repository factory bean through a BeanPostProcessor with a limited QueryMethodEvaluationContextProvider

Releases that have fixed this issue include:

• Spring Data MongoDB
  • 3.4.1+
  • 3.3.5+

This issue was identified and responsibly reported by Zewei Zhang from NSFOCUS TIANJI Lab.