Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 64 maven packages depend on com.baomidou:dynamic-datasource-spring (1 direct, 63 indirect)
Ecosystem-wide dependent count for version 4.5.0.
DescriptionCVE.org
A vulnerability was determined in baomidou dynamic-datasource 2.5.0. Affected by this vulnerability is the function DsSpelExpressionProcessor#doDetermineDatasource of the file dynamic-datasource-spring/src/main/java/com/baomidou/dynamic/datasource/processor/DsSpelExpressionProcessor.java of the component StandardEvaluationContext/SpelExpressionParser. This manipulation causes injection. The attack may be initiated remotely. Patch name: 273fcedaee984c08197c0890f14190b86ab7e0b8. It is recommended to apply a patch to fix this issue.
AnalysisAI
SpEL expression injection in baomidou dynamic-datasource 2.5.0 allows authenticated remote attackers to execute arbitrary code via the DsSpelExpressionProcessor component. The vulnerability stems from unsafe evaluation of Spring Expression Language (SpEL) in datasource routing logic, enabling attackers with application access to inject malicious expressions that execute with application privileges. No public exploit code or active exploitation has been identified at time of analysis, though upstream fix is available.
Technical ContextAI
baomidou dynamic-datasource is a Java library that provides dynamic database routing for Spring applications using SpEL expressions to determine the target datasource at runtime. The vulnerability exists in the DsSpelExpressionProcessor class, which uses Spring's StandardEvaluationContext and SpelExpressionParser to evaluate user-controlled or attacker-influenced expressions without sufficient sanitization. SpEL (Spring Expression Language) is a powerful templating language that, when evaluated on untrusted input, can be leveraged for arbitrary code execution through method invocation, class instantiation, and property access. This is a classic instantiation of CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), where unsanitized input flows directly into a code evaluation context.
RemediationAI
Apply the upstream patch released by baomidou via the commit 273fcedaee984c08197c0890f14190b86ab7e0b8 (GitHub pull request #767). Users should upgrade to a version that includes this commit, which is available from the baomidou/dynamic-datasource GitHub repository (https://github.com/baomidou/dynamic-datasource). If an immediate upgrade is not feasible, restrict application access to trusted users only and disable dynamic datasource routing features that rely on user-supplied SpEL expressions. Additionally, implement input validation and whitelisting for any datasource selection criteria before they are passed to the SpEL evaluator. Monitor application logs for suspicious SpEL expressions or unexpected datasource routing behavior. Contact baomidou maintainers or check GitHub releases for the specific patched version number, as the remediation data does not specify the exact release version containing the fix.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25722