Spring Boot Whitelabel Error Page SpEL
Description
Spring Boot applications using the default Whitelabel Error Page feature are vulnerable to remote code execution through Spring Expression Language (SpEL) injection. When an application throws an exception, user-controlled data from the request (such as path variables or parameters) can be reflected in the error page without proper sanitization. This allows attackers to inject malicious SpEL expressions that are evaluated server-side, leading to arbitrary code execution. This vulnerability affects Spring Boot versions prior to 1.2.8 and 1.3.1.
Remediation
Immediately upgrade Spring Boot to version 1.2.8, 1.3.1, or later to remediate this vulnerability. If immediate upgrading is not possible, implement the following temporary mitigations:
1. Disable the default Whitelabel Error Page by setting the following property in your application configuration:
server.error.whitelabel.enabled=false
2. Implement a custom error page that does not reflect user input without proper encoding:
@Controller
public class CustomErrorController implements ErrorController {
@RequestMapping("/error")
public String handleError() {
return "error"; // Return static error view
}
}3. Ensure all user input is properly validated and sanitized before being used in error messages or logging.
4. After upgrading, verify the fix by testing that SpEL expressions in request parameters are not evaluated on error pages.