How to Detect and Fix the Spring SPEL Remote Code Execution Vulnerability

Vulnerability Overview

The Spring Framework SPEL injection vulnerability enables remote command execution under certain conditions. VMware’s security advisory lists the affected versions and provides a fix.

Detection Methods

1. JDK Version Check

If the JDK version is ≤8, the vulnerability does not apply.

2. Identify Spring Usage

For WAR‑packaged projects:

Rename the .war file to .zip and unzip it.

Search for files matching spring-beans-*.jar (e.g., spring-beans-5.3.16.jar). Presence indicates Spring usage.

If no such JAR is found, look for CachedIntrospectionResults.class to confirm Spring.

For executable JAR projects:

Rename the .jar file to .zip and unzip it.

Search for spring-beans-*.jar or CachedIntrospectionResults.class using the same logic.

3. Comprehensive Judgment

A system is vulnerable only when both conditions are true: the JDK version is 9 or higher **and** the application uses Spring (or a derivative framework).

Remediation

Official Patch

Upgrade the Spring Framework to version 5.3.17 , which contains the official fix.

Temporary Mitigations

Configure WAF rules to block patterns such as “class.*”, “Class.*”, “*.class.*”, “*.Class.*”. Test the application after applying the rules to avoid side effects.

Search the codebase for @InitBinder methods that invoke dataBinder.setDisallowedFields. Add the disallowed field patterns {"class.*","Class.*","*.class.*","*.Class.*"} wherever they appear.

Create a global class (placed in a package scanned by Spring, typically alongside controllers) that registers the same disallowed fields, then rebuild, repackage, and redeploy the application.

After applying these temporary measures, monitor the official patch release and upgrade as soon as possible.