Skip to content

daehyuh/CVE-2026-41729

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.mvn/wrapper
.mvn/wrapper
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
mvnw
mvnw
 
 
mvnw.cmd
mvnw.cmd
 
 
pom.xml
pom.xml
 
 

Repository files navigation

CVE-2026-41729: Spring Data REST SpEL Injection via Map Key in JSON Patch

This repository contains a minimal Java/Spring Boot reproducer for CVE-2026-41729, a High severity Spring Data REST vulnerability involving SpEL expression injection through map keys in JSON Patch requests.

Official advisory: https://spring.io/security/cve-2026-41729/

Status

Published CVE reproducer.

The issue was identified and responsibly reported by Daehyun Kang (@daehyuh).

The sample starts a real Spring Boot application with Spring Data REST, exposes a repository endpoint, and sends HTTP PATCH requests to that endpoint. It does not require Docker, a database server, a message broker, credentials, or any external service.

Affected Component Exercised by the Sample

  • Project: Spring Data REST
  • Maven package: org.springframework.data:spring-data-rest-webmvc
  • Version resolved by this sample: 4.5.11
  • Spring Boot parent: 3.5.14
  • Relevant Spring code path: org.springframework.data.rest.webmvc.json.patch.SpelPath

Vulnerability Summary

Spring Data REST is vulnerable to SpEL expression injection when processing JSON Patch (application/json-patch+json) requests against map-typed properties.

When a persistent entity exposes a Map-typed property, a JSON Pointer path segment used as a map key can be embedded into a generated SpEL expression. A crafted map key can break out of the intended map-key literal and continue evaluation as a property path.

This sample demonstrates that a crafted JSON Patch path can modify a property that is not exposed through the normal REST representation.

Run the Sample

Windows:

.\mvnw.cmd test

macOS/Linux:

./mvnw test

Expected vulnerable-run result:

Tests run: 3, Failures: 0, Errors: 0, Skipped: 0
BUILD SUCCESS

What the Sample Demonstrates

The domain object contains a visible people map. Each Person also contains a hiddenChildren map that is hidden from Spring Data REST/Jackson with @JsonIgnore.

The test verifies that the normal REST representation does not expose hiddenChildren or the hidden value.

The test then sends a direct JSON Patch request to the Spring Data REST repository endpoint:

PATCH /wrappers/sample
Content-Type: application/json-patch+json

[
  {
    "op": "replace",
    "path": "/people/a/hiddenChildren/b/name",
    "value": "after"
  }
]

That direct hidden-property path is rejected and the hidden value remains before.

The test then sends a crafted map-key JSON Patch path:

PATCH /wrappers/sample
Content-Type: application/json-patch+json

[
  {
    "op": "replace",
    "path": "/people/a'].hiddenChildren['b/name",
    "value": "after"
  }
]

Observed vulnerable behavior: the request succeeds and changes the hidden value from before to after.

The test also verifies that the map does not contain a literal key named a'].hiddenChildren['b, so the change is caused by expression breakout rather than normal map-key behavior.

Why This Exercises Spring Data REST Code

The application-specific classes only provide a minimal object graph and repository so Spring Data REST can process a real HTTP JSON Patch request. They do not parse the JSON Patch path and do not evaluate expressions.

The relevant behavior occurs when Spring Data REST converts the JSON Patch path into a SpEL path. For string-keyed maps, the raw path segment is embedded into a generated SpEL indexer as a quoted string without escaping the segment first. A single quote in the map key segment can therefore break out of the intended map-key literal and continue as a property path.

References

About

CVE-2026-41729 PoC

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages