Skip to content
Dae Glendowne2 min read

Expression DoS Vulnerability Found in Spring - CVE-2023-20861

As part of our efforts to improve the security of open-source software, we continuously test open-source projects with our JVM fuzzing engine Jazzer in Google’s OSS-Fuzz. One of our tests yielded a Denial of Service vulnerability in the Spring Framework (CVE-2023-20861). Spring is one of the most widely used frameworks for developing web applications in Java. As a result, vulnerabilities have an amplified impact on all applications that rely on the vulnerable version.

Update: Another Expression DoS Found in Spring - CVE-2023-20863

Three weeks after the announcement of CVE-2023-20861, Jazzer's OSS-Fuzz integration found a second, more severe Expression DoS vulnerability in Spring. We wrote a separate blog post including mitigation advice about the new vulnerability.

Learn More

 

Vulnerability Description

It is possible for a user to provide a specially crafted SpEL expression that causes a denial-of-service (DoS) condition. SpEL expression evaluation can result in an OutOfMemoryError when a large string is supplied to the repeat operator (<string> * <integer>). For example, the following SpEL expression can trigger the issue:

'xyz' * 941859717

Since Spring Framework 6.0.x uses String#repeat (introduced in Java 11) for the implementation, the OutOfMemoryError is somewhat superficial since no attempt is made to allocate a string of the requested size. However, in Spring Framework 5.3.x (and previous versions) a StringBuilder is used to create the repeated text in a for-loop which can lead to a legitimate OutOfMemoryError.

Furthermore, the repeat operator can be used as a "gadget" to easily generate large strings in SpEL expressions that can then be passed to other SpEL operators (such as the matches operator) or components, potentially resulting in undesired effects.

Affected Versions:

  • 6.0.0 to 6.0.6
  • 5.3.0 to 5.3.25
  • 5.2.0.RELEASE to 5.2.22.RELEASE
  • Older, unsupported versions are also affected

Mitigation

Fixes have already been released. These include adding limit checks for the effective size of repeated text as well as the length of a regular expression supplied to the matches operator.

Users of affected versions should upgrade to a new version that contains the fixes: 

  • 6.0.x users should upgrade to 6.0.7+.
  • 5.3.x users should upgrade to 5.3.26+.
  • 5.2.x users should upgrade to 5.2.23.RELEASE+. 

Users of older, unsupported versions should upgrade to 6.0.7+ or 5.3.26+. No other steps are necessary. 
References:

Acknowledgements

We are grateful to the Spring maintainers for quickly responding to the issue and providing a fix and new releases.

Related Articles