Spring Expression Language is vulnerable to Denial Of Service (DoS). The vulnerability exists in the doParseExpression
function of InternalSpelExpressionParser.java
because the SpEL expression length is not restricted which allows an attacker to cause an application crash.
github.com/advisories/GHSA-wxqc-pxw9-g2p8
github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15
github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e
github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f
github.com/spring-projects/spring-framework/issues/30325
github.com/spring-projects/spring-framework/issues/30329
github.com/spring-projects/spring-framework/issues/30330
spring.io/security/cve-2023-20863