This scenario revolves around a critical remote code execution flaw in Spring AI, specifically inside the Simple Vector Store component. The vulnerability is dangerous because it allows unauthenticated attackers to run system commands remotely, without credentials or user interaction.
Spring AI, released around May 2025, became widely used to build applications that interact with large language models. Many of those apps rely on something called a RAG pipeline (Retrieval-Augmented Generation).
That pipeline typically works like this:
- Documents are embedded into vectors
- Stored in a vector database
- A user query filters documents
- Matching results get sent to the LLM
- The model generates a response
The weak point sits right in the filtering step.
Instead of safely handling filter input, the application inserts user-controlled values directly into a Spring Expression Language (SpEL) string, then evaluates it with full JVM permissions.
That decision turns a harmless search filter into an execution engine.
An attacker can inject a crafted expression and execute arbitrary commands on the server.
Why This Bug Is So Dangerous
This vulnerability has a CVSS score of 9.8, meaning:
- No authentication required
- No user interaction needed
- Remote execution possible
- Full server compromise achievable
The flaw happens because:
- User input becomes part of a SpEL expression
- The system uses StandardEvaluationContext
-
That context allows:
- Loading Java classes
- Calling methods
- Running OS commands
Once that happens, the application effectively hands attackers the keys to the JVM.
1. Vulnerability Overview
Affected Technology
Spring AI Key component: Simple Vector Store
Used in:
- Retrieval-Augmented Generation (RAG) pipelines
- AI-backed enterprise tools
- Chatbot and assistant backends
Vulnerability Type
Unauthenticated Remote Code Execution (RCE)
via Spring Expression Language (SpEL) Injection
Severity:
CVSS 9.8 : Critical
Attack characteristics:
- No authentication required
- No user interaction required
- Full JVM-level command execution
Root Cause Summary
User-controlled filter input: filter key
Was: Concatenated into a SpEL expression
Then executed using: StandardEvaluationContext
Which allows: Full JVM access
Class loading
Method invocation
Process execution
2. Spring AI RAG Pipeline — Execution Flow
Understanding the architecture is required to understand injection path.
RAG Pipeline Model
Documents → Vector Embedding
↓
Simple Vector Store
↓
Similarity Search
↓
Language Model Response
Filter Injection Entry Point
User query includes:
Filter parameters
Example:
country=US
This filter becomes:
SpEL expression input
Improper sanitization leads to:
Expression execution
3. SpEL Injection Mechanics
Spring Expression Language (SpEL)
Used for:
- Security rules
- Configuration
- Metadata filtering
Dangerous Operator — T
The T operator allows:
Java class loading
Example pattern:
T(java.lang.Runtime)
This enables:
Runtime class loading
Process spawning
Command execution
Dangerous Execution Chain
Example execution flow:
T(java.lang.Runtime)
↓
getRuntime()
↓
exec("command")
Effect:
Remote command execution
4. Vulnerable Execution Context
StandardEvaluationContext
Default context used.
Capabilities:
Load classes
Call methods
Spawn processes
Access JVM internals
Secure Alternative
SimpleEvaluationContext
Restricts:
Type loading
Method execution
Runtime access
5. Attack Surface Characteristics
Exposure Condition
API endpoint must be:
Publicly reachable
Typical endpoint:
/search
Accepts:
filter key parameter
Attack Pattern
HTTP GET Request
↓
Injected filter key
↓
SpEL execution
↓
JVM command execution
6. Exploit Attack Chain — 4 Stages
The exploit script performs a staged attack.
Stage 1 — Baseline Check
Objective
Confirm endpoint availability.
Behavior
Send normal request:
country filter
Expected response:
{
"country": "US"
}
Indicates:
Endpoint is reachable
Stage 2 — Blind SpEL Probe
Objective
Verify injection path.
Payload Type
Read-only SpEL expression.
Expected response includes:
Java version string
Indicates:
SpEL injection successful
Stage 3 — RCE Confirmation
Objective
Execute harmless command.
Payload Behavior
Execute:
touch /tmp/pwned
Verification method:
Error response indicates execution occurred
Important concept:
Error ≠ Failure
Error = Execution Triggered
Stage 4 — Reverse Shell Execution
Objective
Obtain interactive shell.
Payload Technique
Reverse shell encoded using:
Base64
Then:
Decoded
Piped to bash
Executed inside SpEL
Example Base64 Command Pattern
echo | base64 -d | bash
7. Exploit Tooling
Two scripts provided:
exploit.py
listener.py
exploit.py — Multi-Stage Attack
Runs:
Stage 1 → Endpoint Check
Stage 2 → Injection Test
Stage 3 → RCE Test
Stage 4 → Reverse Shell
listener.py — Reverse Shell Handler
Modes:
Listener-only
Exploit mode
Listener Mode Behavior
Creates TCP socket:
Waits for reverse shell connection
Combined Exploit Mode
Sequence:
Start listener
Trigger payload
Receive shell
8. Endpoint Validation
Manual Test Using curl
curl http://
Expected response:
{
"country": "US"
}
Indicates:
API operational
9. Reverse Shell Execution Workflow
Start Listener
Example:
python listener.py
Launch Exploit
python exploit.py
Expected Result
Interactive shell:
id
Example output:
uid=0(root)
Indicates:
Root access achieved
10. Post-Exploitation Verification
Check Temporary File
Created during Stage 3:
ls /tmp/
Expected file:
pwned
Read Flag (Typical Lab Step)
cat /root/root.txt
Used to confirm:
Privilege-level access
11. Known Related Vulnerability
Previous similar vulnerability:
CVE-2022-22963
Spring Cloud Function
Root cause similarity:
SpEL Injection
Pattern Recurrence
Observed across:
Spring Cloud Function
Spring AI Vector Store
Root cause:
User input evaluated as expression
12. Detection Opportunities
Application Log Indicators
Look for:
SpelEvaluationException
Typical signature:
org.springframework.expression
Stack Trace Indicators
Important markers:
SpEL evaluation failure
Vector store errors
Unexpected expression parsing
13. HTTP Request Detection
Inspect inbound requests for:
filter key containing:
T(
Example malicious pattern:
T(java.lang.Runtime)
WAF Detection Strategy
Alert on:
T(java.lang.Runtime
Or:
.exec(
14. Process-Level Indicators
Monitor for:
bash
sh
runtime.exec
Unexpected child processes:
Java → bash
Java → sh
15. Log-Based Detection Strategy
Monitor logs for:
HTTP GET with SpEL payload
Example detection logic:
Query parameter contains:
T(java.
16. Mitigation Strategy
Primary Fix
Upgrade Spring AI version.
Fixed versions:
1.0.5+
1.1.4+
Core Fix Mechanism
Replace:
StandardEvaluationContext
With:
SimpleEvaluationContext
Effect:
Removes runtime execution capabilities
17. Temporary Mitigation
If upgrade not possible:
Implement:
Input validation
Reject:
filter values containing:
T(
Example Filter Validation Logic
Block inputs containing:
T(java.
18. Secure Coding Recommendation
Never allow:
User input inside executable expression engines
Examples of risky engines:
SpEL
OGNL
MVEL
JEXL
19. MITRE ATT&CK Mapping
Mapped technique:
T1190 — Exploit Public-Facing Application
Applicable phases:
Initial Access
Execution
Persistence
20. Key Exploit Workflow Summary
Identify exposed endpoint
↓
Send safe request
↓
Inject SpEL payload
↓
Execute runtime command
↓
Spawn reverse shell
↓
Gain root shell
21. Core Defensive Takeaways
Critical defensive priorities:
- Upgrade vulnerable libraries
- Restrict expression evaluation
- Validate all filter input
- Monitor logs for SpEL patterns
- Deploy WAF detection rules
- Monitor process spawning from Java
22. High-Risk Behavior Patterns
Watch for:
User-controlled expression evaluation
Especially when combined with:
Runtime class loading
Dynamic method invocation
External command execution
23. Core Analyst Command Summary
Endpoint Test
curl http://
Listener Execution
python listener.py
Exploit Execution
python exploit.py
Verify Execution
id
Confirm RCE Artifact
ls /tmp/
Retrieve Flag
cat /root/root.txt
24. Core Learning Insight
Expression injection vulnerabilities:
Are framework-level design failures
Not just coding mistakes
Recurring pattern:
User input → Expression engine → Code execution
This pattern exists across:
Java (SpEL)
Python (eval)
JavaScript (eval)
Template engines
THM Room Answers
Task 2: Exploring the Vulnerability
What evaluation context does the vulnerable version use to evaluate filter expressions?
StandardEvaluationContext
What SpEL operator loads a Java class by its fully qualified name?
T(…)
What Spring component had the same SpEL injection flaw in 2022?
Spring Cloud Function:
Task 3: Understanding the Tools
What string in the HTTP response confirms that **exec()** fired?
EL1030E
What file does Stage 3 create on the target?
/tmp/pwned_cve_2026_22738
What flag makes listener.py fire the payload and listen in one command?
— exploit
Task 4: Exploiting CVE-2026–22738
What port is the vulnerable application running on?
8082
What user is the application running as?
root
What is the flag at /root/flag.txt?
THM{sp3l_1nj3ct10n_m3ans_spr1ng_AI_g0es_brrr}
Task 5 Detecting and Patching
What Java exception class appears in the stack trace during exploitation?
SpelEvaluationException
What Spring AI version fixes CVE-2026–22738 for the 1.0.x branch?
1.0.5
What evaluation context does the patched version use?
SimpleEvaluationContext
0 comments