Description

Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests.

When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation. An attacker who can issue PATCH requests against an affected endpoint can craft a map-key segment that breaks out of the intended indexer literal and evaluates an arbitrary SpEL sub-expression within the context of the aggregate root.

Both the read and write patch paths are affected.

Preconditions:

• The exposed aggregate or a nested embedded type reachable via the patch path declares a Map-typed persistent property.
• The attacker is able to issue PATCH requests with Content-Type: application/json-patch+json to the item resource (enabled by default; authentication requirements depend on the application's security configuration).

Affected Spring Products and Versions

Spring Data REST:

• 3.7.0 - 3.7.19
• 4.3.0 - 4.3.16
• 4.4.0 - 4.4.14
• 4.5.0 - 4.5.11
• 5.0.0 - 5.0.5

Versions that are no longer supported are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Credit

The issue was identified and responsibly reported by Daehyun Kang (@daehyuh) [email protected].

References

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N&version=3.1

History

• 2026-06-09: Initial vulnerability report published.