Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9Blast Radius
ecosystem impact- 17 maven packages depend on org.dromara.warm:warm-flow-plugin-modes-sb (6 direct, 11 indirect)
Ecosystem-wide dependent count for version 1.8.5.
DescriptionCVE.org
A security flaw has been discovered in Dromara warm-flow up to 1.8.4. Impacted is the function SpelHelper.parseExpression of the file /warm-flow/save-json of the component Workflow Definition Handler. The manipulation of the argument listenerPath/skipCondition/permissionFlag results in code injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
AnalysisAI
Remote code injection in Dromara warm-flow up to version 1.8.4 allows authenticated attackers to execute arbitrary code through the SpelHelper.parseExpression function via manipulation of listenerPath, skipCondition, or permissionFlag parameters in the Workflow Definition Handler. The vulnerability uses SpEL (Spring Expression Language) injection to achieve code execution with CVSS 6.3 severity. Publicly available exploit code exists and the flaw has been documented in the project's issue tracker.
Technical ContextAI
The vulnerability exists in the SpelHelper.parseExpression function within the Workflow Definition Handler component of warm-flow, a workflow orchestration framework. The root cause is CWE-94 (Improper Control of Generation of Code), where user-supplied input from listenerPath, skipCondition, or permissionFlag parameters are passed directly to SpEL expression parsing without proper validation or sanitization. SpEL is a powerful expression language used in Spring Framework that allows dynamic evaluation of strings as code. When user input reaches SpEL evaluation functions unfiltered, attackers can craft malicious expressions to break out of intended expression syntax and execute arbitrary Java code with the privileges of the application runtime.
RemediationAI
Upgrade Dromara warm-flow to a patched version released after 1.8.4. Check the official Gitee repository (https://gitee.com/dromara/warm-flow/) for the latest stable release. As an immediate workaround pending patching, restrict access to the Workflow Definition Handler (/warm-flow/save-json endpoint) to trusted administrators only, and implement input validation to reject any listenerPath, skipCondition, or permissionFlag parameters containing SpEL syntax characters (${, #{, brackets, operators). Disable or restrict the ability for end-users to define custom workflow expressions if not operationally necessary. Monitor application logs for evidence of exploitation attempts, particularly payloads containing SpEL injection patterns.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21729
GHSA-822v-8w6h-5jxp