Listen to this Post
The vulnerability in Hutool stems from improper input sanitization within the `QLExpressEngine` class. This engine is used to evaluate dynamic expressions. When user-supplied input is passed directly to the `execute` method of this engine, it allows an attacker to craft malicious expressions. These expressions are not sandboxed effectively, enabling the invocation of arbitrary Java methods, including Runtime.exec(). By injecting a payload like java.lang.Runtime.getRuntime().exec("calc.exe"), an attacker can achieve remote code execution with the privileges of the application, without requiring authentication.
Platform: Hutool
Version: < 5.8.40
Vulnerability: Expression Injection
Severity: Critical
date: 2025-09-26
Prediction: Patch expected 2025-09-29
What Undercode Say:
curl -s https://repo1.maven.org/maven2/cn/hutool/hutool-all/5.8.40/maven-metadata.xml | grep -oP '<release>\K[^<]+'
// Vulnerable Code Snippet
QLExpressEngine engine = new QLExpressEngine();
String userInput = request.getParameter("expression"); // Attacker-controlled
Object result = engine.execute(userInput, null, null, false, false);
// Safe Code after patch
Map<String, Object> context = new HashMap<>();
context.put("safeObject", mySafeObject);
// Use a restricted context, avoid executing raw user input.
How Exploit:
Attacker sends an HTTP request with a malicious expression parameter targeting an endpoint that uses `QLExpressEngine.execute()` without proper validation. The payload invokes `Runtime.exec` to execute system commands on the server.
Protection from this CVE:
Upgrade to Hutool version 5.8.40 or later. Implement strict input validation and avoid passing user-controlled data directly to expression engines. Use a minimal, allow-listed context for expression evaluation.
Impact:
Remote Code Execution leading to full compromise of the application server, data theft, and unauthorized system access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
