CVE-2026-41729
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Spring Data REST is a Spring project that automatically exposes Spring Data repositories as hypermedia-driven REST resources, including support for partial updates through JSON Patch requests.
A high-severity vulnerability (CVE-2026-41729) has been identified in Spring Data REST. When a JSON Patch request targets a Map-typed persistent property of an exposed entity, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization. An attacker can craft a malicious map-key segment that breaks out of the intended indexer literal and evaluates arbitrary SpEL sub-expressions within the aggregate root context, leading to remote code execution.
Per OWASP, Expression Language Injection occurs when user-controlled input is incorporated into an expression that an expression-language engine then evaluates, allowing an attacker to execute arbitrary expressions and, in many cases, arbitrary code.
This issue affects >=3.5.0 <=3.5.12, >=3.7.0 <=3.7.19, >=4.2.0 <=4.2.12, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, and >=5.0.0 <=5.0.5 of Spring Data REST.
Details
Module Info
- Product: Spring Data REST
- Affected packages: spring-data-rest-webmvc
- Affected versions: >=3.5.0 <=3.5.12, >=3.7.0 <=3.7.19, >=4.2.0 <=4.2.12, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, >=5.0.0 <=5.0.5
- GitHub repository: https://github.com/spring-projects/spring-data-rest
- Published packages: https://central.sonatype.com/artifact/org.springframework.data/spring-data-rest-webmvc
- Package manager: Maven
- Fixed in:
- NES for Spring Data REST
- Spring Data REST 4.5.12, 5.0.6 (OSS)
Vulnerability Info
Spring Data REST translates a JSON Patch operation's JSON Pointer path into a SpEL expression that locates the target property on the aggregate root. For a string-keyed Map property, the map key taken from the path segment is wrapped in single quotes and placed inside a SpEL indexer:
String keyExpression = STRING_TYPE.equals(componentType) ? String.format("'%s'", segment) : segment;
return skipWith(String.format("[%s]", keyExpression));
The segment value originates from the attacker-controlled JSON Pointer path and is interpolated into the '%s' literal with no escaping or validation. A map key containing a single quote closes the string literal, after which an attacker can append an arbitrary SpEL sub-expression and re-open a literal, producing a fully attacker-controlled expression that is then evaluated against the aggregate root. Because SpEL can resolve and invoke arbitrary types and methods, this yields remote code execution.
Exploitation requires that the application expose an aggregate or nested type declaring a Map-typed persistent property, and that the attacker be able to issue a PATCH request with the application/json-patch+json content type against the exposed resource. No user interaction is required, and only low privileges are needed.
This vulnerability was introduced in 2017 with Spring Data REST 3.0.
Mitigation
Spring Data REST 3.7.x, 4.3.x, and 4.4.x have reached End-of-Life on the open-source release track and will not receive open-source security updates; see https://spring.io/projects/spring-data-rest#support for the support timeline. Do not attempt to self-patch these lines.
We recommend one of the following:
- Upgrade to a supported, fixed open-source version (Spring Data REST 4.5.12 or 5.0.6).
- For applications that must remain on an End-of-Life line (3.5.x, 3.7.x, 4.2.x, 4.3.x, 4.4.x), use HeroDevs Never-Ending Support (NES) for Spring Data REST, which provides a backported fix for this vulnerability while preserving API compatibility. Learn more about HeroDevs Never-Ending Support for Spring Data REST and request coverage at https://www.herodevs.com/support/spring-nes
Credits
- Daehyun Kang (@daehyuh) (finder)
