Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Multiple classes evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential exfiltration.
Impact
An attacker with ADMIN credentials can:
- Execute arbitrary OS commands via
T(java.lang.Runtime).getRuntime().exec('...') - Exfiltrate all environment variables (database passwords, API keys, Keycloak secrets) via
T(java.lang.System).getenv() - Read JVM system properties via
T(java.lang.System).getProperties() - Load arbitrary classes via
T(java.lang.Class).forName('...')
Affected Components
1. DocumentMigrationService (since 12.0.0)
Exploitable through the document migration REST API:
POST /api/management/v1/document-definition/migratePOST /api/management/v1/document-definition/migration/conflicts
The malicious SpEL expression is supplied in the source or target field of a DocumentMigrationPatch object in the request body, using the ${...} template syntax.
- In 12.x:
com.ritense.document.service.DocumentMigrationService#handleSpelExpression(document module) - In 13.x: same class, moved to the case module
2. Condition (since 13.4.0)
Exploitable through any admin-configured widget, dashboard, or feature that uses the Condition framework. The SpEL expression is supplied in the value field of a condition's JSON configuration.
com.ritense.valtimo.contract.conditions.Condition#resolveValue(contract module)
This component has a significantly wider attack surface than DocumentMigrationService, as conditions are used across many modules.
Remediation
Replace StandardEvaluationContext with SimpleEvaluationContext in both affected classes, which disallows Java type references and arbitrary method invocation:
val evaluationContext = SimpleEvaluationContext
.forPropertyAccessors(MapAccessor(), jsonPropertyAccessor)
.build()AnalysisAI
Spring Expression Language injection in Valtimo (open-source business process platform) allows authenticated ADMIN users to execute arbitrary OS commands and exfiltrate credentials. The vulnerability exists in DocumentMigrationService (versions 12.0.0-12.31.0 and 13.0.0-13.22.0) and the Condition framework (13.4.0-13.22.0), both of which use StandardEvaluationContext to evaluate user-supplied SpEL expressions without restrictions. Attackers can invoke Runtime.exec(), access environment variables containing database passwords and API keys, and load arbitrary Java classes. Vendor-released patches are available (12.32.0, 13.23.0). No public exploit identified at time of analysis, EPSS data not available.
Technical ContextAI
Spring Expression Language (SpEL) is a powerful expression language in the Spring Framework that supports querying and manipulating object graphs at runtime. The vulnerability stems from using StandardEvaluationContext instead of SimpleEvaluationContext when evaluating SpEL expressions. StandardEvaluationContext provides full access to the Java type system through the T(...) operator, enabling reflection-based attacks. The affected Valtimo components (DocumentMigrationService in document/case modules and Condition in contract module) accept SpEL expressions in ${...} template syntax from REST API requests (document migration endpoints) and JSON configuration (condition framework). CWE-94 (Code Injection) correctly classifies this as arbitrary code execution through unsafe evaluation of user-controlled expressions. The CPE identifiers pkg:maven/com.ritense.valtimo:document, pkg:maven/com.ritense.valtimo:case, and pkg:maven/com.ritense.valtimo:contract pinpoint the exact Maven artifacts affected across Valtimo's modular architecture.
RemediationAI
Upgrade to patched versions immediately: Valtimo 12.32.0 for 12.x deployments or Valtimo 13.23.0 for 13.x deployments. The vendor has replaced StandardEvaluationContext with SimpleEvaluationContext in both DocumentMigrationService and Condition classes, which disallows Java type references and arbitrary method invocation while preserving property access functionality. Upgrade instructions and release artifacts available at https://github.com/valtimo-platform/valtimo/security/advisories/GHSA-j7j9-5253-f7vh. If immediate patching is not feasible, implement compensating controls: (1) Audit and restrict ADMIN role assignments to minimum necessary personnel with background checks and periodic access reviews - this reduces the threat actor pool but does not eliminate risk from compromised accounts or malicious insiders; (2) Monitor and alert on POST requests to /api/management/v1/document-definition/migrate and /api/management/v1/document-definition/migration/conflicts endpoints for unusual patterns or ${T(...)} syntax in request bodies; (3) Enable application-level logging of SpEL expression evaluation attempts and integrate with SIEM; (4) Deploy runtime application self-protection (RASP) or web application firewall rules to detect T(java.lang.Runtime) and similar reflection patterns in POST body content - note this may cause false positives and requires tuning. These mitigations reduce but do not eliminate exploitation risk and should be treated as temporary measures pending upgrade. Code review of custom Valtimo extensions is recommended to ensure no additional StandardEvaluationContext usage exists.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30336
GHSA-j7j9-5253-f7vh