Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Lifecycle Timeline
3DescriptionCVE.org
An improper neutralization of inputs used in expression language allows remote code execution with the highest privileges on the server.
AnalysisAI
Critical remote code execution vulnerability in expression language processors that allows unauthenticated attackers to execute arbitrary code with maximum server privileges through improper input neutralization. This is a perfect-score CVSS 10.0 vulnerability affecting expression language engines across multiple frameworks; exploitation requires no authentication, user interaction, or special configuration, making it an immediate priority for any organization using affected technologies.
Technical ContextAI
This vulnerability exploits CWE-917 (Expression Language Injection), a weakness in how expression language processors handle user-supplied input without proper sanitization. Expression languages (EL) such as OGNL, MVEL, SpEL (Spring), and JEXL are commonly embedded in web frameworks and template engines to dynamically evaluate expressions. When user input flows directly into EL evaluation functions without neutralization (e.g., via request parameters, headers, or form data), attackers can inject malicious expressions that access and manipulate server objects, invoke arbitrary methods, and ultimately achieve remote code execution. The lack of input validation or sandboxing allows the attacker to break out of the intended expression scope and execute system commands with the privileges of the application server process.
RemediationAI
Immediate remediation steps: (1) Consult vendor security advisories for CVE-2025-3322 patches—apply security updates to all affected expression language libraries and frameworks without delay; (2) If patches are unavailable, implement input validation and sanitization: disable or restrict expression language evaluation, use allowlisting for permitted expression syntax, implement strict input validation to reject suspicious patterns (${, #{, OGNL/SpEL syntax); (3) Apply defense-in-depth: disable unnecessary expression language features, run applications with minimal privileges (non-root), use Web Application Firewalls (WAF) to detect and block EL injection attempts; (4) For temporary mitigation before patching, isolate affected systems or restrict network access to trusted sources only; (5) Scan dependencies with tools like OWASP Dependency-Check or Snyk to identify library versions in use and flag vulnerable versions; (6) Review vendor advisories and patch management portals (e.g., NVD, vendor security pages) for specific patched versions and release dates.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17092