The Spring Data MongoDB SpEL Expression Injection Vulnerability — CVE-2022–22980


We would like to announce that we have released Spring Data MongoDB 3.4.1 and 3.3.5 to address the following CVE report:

CVE-2022–22980: Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods

This vulnerability was responsible for information about an expression injection vulnerability in Spring Data MongoDB SpEL. The CVSSv3 score of this vulnerability is 8.2, the vulnerability number: is CVE-2022–22980, and the vulnerability threat level: high risk. Spring Data MongoDB applications are vulnerable to SpEL injection attacks when the input is not filtered when value binding to query methods annotated with @Query or @Aggregation for SpEL expressions that contain query parameter placeholders.

The vulnerability affects Spring Data MongoDB applications using repository query methods annotated with @Query or @Aggregation and parametrized SpEL statements. A specific exploit requires the usage of non-sanitized input to the repository query method.


These are the necessary conditions for the specific vulnerability:

  • Spring Data MongoDB 3.4.0
  • Spring Data MongoDB 3.3.0–3.3.4
  • Older, unsupported versions are also affected

Declaration of repository query methods annotated with @Query or @Aggregation that make use of SpEL (Spring Expression Language) and use input parameter references (?0, ?1, …) within the SpEL expression

  • Spring-data-mongodb dependency


Additional Notes

The issue relates to the repository query method invocation to assemble the MongoDB query using expressions. The vulnerability occurs during query assembly and does not require the query to be executed for exploitation.

Referencing SpEL arguments through the array syntax ([0], [1], […]) does not create a vulnerability and is a recommended workaround if you cannot upgrade to a version that contains the fix

The vulnerability can only be exploited if an application invokes the query method with non-sanitized user input. Alternatively, arrangements that expose repository query methods without involving additional application code (such as Spring Data REST) are vulnerable as well.

Suggested Workarounds

The preferred response is to update to Spring Data MongoDB 3.4.1 and 3.3.5 or greater. If you have done this, then no workarounds are necessary. However, some may be in a position where upgrading is impossible to do quickly. For that reason, we have provided some workarounds below.

Please note that workarounds are not necessarily mutually exclusive since security is best done “in-depth”.

Using Array Syntax

If your application requires dynamic SpEL expressions that are controlled by user input, then referencing SpEL arguments using the array syntax [0] is a safe way to access SpEL arguments.

Implementing a custom repository method

Replacing the SpEL expression with a custom repository method implementation is a viable workaround to assemble your dynamic query within the application code. Refer to the reference documentation on repository customization for further details.


  • Users of affected versions should apply the following mitigation: 3.4.x users should upgrade to 3.4.1+. 3.3.x users should upgrade to 3.3.5+. No other steps are necessary. There are other mitigation steps for applications that cannot upgrade to the above versions.
  • Rewrite the query or aggregation declarations to use parameter references (“[0]” instead of “?0“) within the expression
  • Sanitize parameters before calling the query method.
  • Reconfigure the repository factory bean through a BeanPostProcessor with a limited QueryMethodEvaluationContextProvider
  • Filter parameters before calling the query method.
  • Reconfigure repository factory bean via BeanPostProcessor with restricted QueryMethodEvaluationContextProvider.


Originally published at




Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Los ácidos e iones inorgánicos Hack Free Resources Generator

Ransomware Scourge

The Securities Quote Exchange (SQX) joins BDP’s Data Marketplace to Launch Their Global…

Ragnarok Ransomware Released Decryption Keys

Go+ reaches partnership with Kucoin Community Chain to provide comprehensive security detection…

Software security suffers as upstarts lose access to virus data

Perfect Strangers: How Airbnb is Building Trust Between Hosts & Guests

Selecting Trustworthy Plugins For Your WordPress Site

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.

More from Medium

The Fastjson “Auto Type Bypass” leads to RCE vulnerability — CVE-2022–25845

JavaMelody for Server Monitoring QA and production environments Endpoint leads to Unauthorized…

Understanding potential vulnerabilities in authentication mechanisms

Integrating Wfuzz with Burp Suite