View all Vulnerabilities

CVE-2022-22980

Improper Input Validation (4.16)
Affects
spring-data-mongodb
in
Spring
No items found.
Versions
= 3.4.0, < 3.3.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Data MongoDB is part of the Spring Data project and provides integration with the MongoDB document database. It simplifies data access and mapping for Java applications using MongoDB.

An Improper Input Validation vulnerability (CVE-2022-22980) has been identified in Spring Data MongoDB. This vulnerability can allow an attacker to manipulate query behavior when user-controlled input is used to construct MongoDB queries.

Improper Input Validation occurs when untrusted input is not correctly sanitized or validated before being used in operations. In this case, specially crafted input may influence how queries are constructed and executed, potentially leading to unauthorized data access.

This issue affects multiple versions of Spring Data MongoDB.

Details

Module Info

  • Product: spring-data-mongodb
  • Affected packages: solr-core
  • Affected versions: => 5.3.0, <= 9.1.0
  • GitHub repository: https://github.com/spring-projects/spring-data-mongodb/
  • Published packages: https://central.sonatype.com/artifact/org.springframework.data/spring-data-mongodb
  • Package manager: Maven

Vulnerability Info

This flaw affects applications that use Spring Data MongoDB repositories or template-based query construction with user-provided input.

The vulnerability is triggered when applications use @Query or @Aggregation-annotated repository methods that include SpEL (Spring Expression Language) expressions with parameter placeholders for value binding. If untrusted input is passed into these expressions without proper sanitization, it may influence how the query is constructed and executed.

Under these conditions, specially crafted input can alter the intended structure or behavior of a MongoDB query. This may allow an attacker to:

  • Modify query criteria in unintended ways
  • Inject or manipulate query expressions through SpEL evaluation
  • Bypass application-level filtering or access controls
  • Access or return data that should not be exposed

Applications are particularly at risk when user-controlled input is directly incorporated into SpEL-based query definitions without strict validation or constraints.

Steps To Reproduce

  1. Use an application with Spring Data MongoDB < 3.3.5 or < 3.4.1 that utilizes @Query or @Aggregation annotations with SpEL expressions.
  2. Identify an endpoint that passes unsanitized user input directly into a repository method using a SpEL-based query.
  3. Submit a crafted HTTP request containing a malicious SpEL payload (e.g., T(java.lang.Runtime).getRuntime().exec("...")) within the vulnerable parameter.
  4. Observe the execution of the arbitrary command or unauthorized data retrieval, indicating successful SpEL injection.

Mitigation

Only recent versions of Spring Data MongoDB are community-supported. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade Spring Data MongoDB to versions 3.4.1, 3.3.5 (or newer) to ensure SpEL expressions in @Query and @Aggregation annotations are properly handled.
  • Refactor Repository Queries to use parameter binding (e.g., ?0) instead of SpEL placeholders (e.g., :#{#...}) when processing untrusted user input.
  • Apply the Principle of Least Privilege to the MongoDB database user to limit the impact of potential unauthorized data access or command execution.
  • Upgrade affected applications to supported versions of Spring Data MongoDB
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Critical
ID
CVE-2022-22980
PROJECT Affected
spring-data-mongodb
Versions Affected
= 3.4.0, < 3.3.5
NES Versions Affected
Published date
June 22, 2022
≈ Fix date
March 11, 2026
Fixed in
NES for Spring
Category
Improper Input Validation (4.16)
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.