Kotlin Expression Language Injection
Description
Detects Spring Expression Language (SpEL) injection vulnerabilities where untrusted data could be evaluated as SpEL expressions in Kotlin Spring applications. This could allow attackers to execute arbitrary code through maliciously crafted expressions.
Detection Strategy
• Checks if Spring Controller or SpEL related classes are imported in the codebase
• Identifies function calls that end with known SpEL evaluation sinks
• Verifies the presence of SpEL expression parser usage in the code
• Confirms if the expression contains untrusted or unvalidated input data
• Reports a vulnerability when unsafe user input flows into SpEL expression evaluation
Vulnerable code example
import org.springframework.expression.spel.standard.SpelExpressionParser
import org.springframework.web.bind.annotation.*
@RestController
class VulnerableController {
@GetMapping("/unsafe")
fun unsafeEndpoint(@RequestParam("expr") userInput: String): String {
val parser = SpelExpressionParser()...✅ Secure code example
import org.springframework.expression.spel.standard.SpelExpressionParser
import org.springframework.expression.spel.support.SimpleEvaluationContext
import org.springframework.web.bind.annotation.*
@RestController
class SafeController {
@GetMapping("/safe")
fun safeEndpoint(@RequestParam("expr") userInput: String): String {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.