CVE-2018-1273
CVE-2018-1273 is a critical-severity vulnerability in Broadcom Spring Data Commons with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-25). The underlying weakness is classified as CWE-94.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 96% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-25)
- EU (EUVD) id: EUVD-2018-0500
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-25)
- Weakness: CWE-94
- Affected product: Broadcom Spring Data Commons
- Published:
- Last modified:
Description
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
CVE-2018-1273: Spring Data Commons Property Binder RCE
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2018-1273 |
| CWE | CWE-94: Improper Control of Generation of Code ("Code Injection") |
| CVSS v2 | 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| CVSS v3.1 | 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| EPSS | 95.65 % (percentile 99.86 %) |
| KEV | Yes (added 2022-03-25) |
| EU Exploited | Yes (since 2022-03-25) |
| Published | 2018-04-11 |
| Last Modified | 2026-06-26 |
Summary
Spring Data Commons, versions prior to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote attacker can supply specially crafted request parameters against Spring Data REST backed HTTP resources, or leverage Spring Data's projection-based request payload binding, to achieve remote code execution.
Background
Spring Data Commons provides the shared infrastructure and common abstractions used by all Spring Data modules, including Spring Data REST. The REST module exposes repository interfaces directly as HTTP resources, automatically mapping request parameters and JSON payloads to domain objects. A core component of this pipeline is the property binder, which populates object properties from incoming request data. When this binder does not properly sanitize or neutralize special elements in property paths, it can be tricked into evaluating arbitrary expressions.
Root Cause
The vulnerability is classified under CWE-94: Improper Control of Generation of Code ("Code Injection"). The root cause lies in the property binder's handling of nested property paths. During data binding, the framework evaluates property names to resolve nested values. An attacker can inject malicious expressions into these property paths. Because the binder does not adequately neutralize special characters or expression-language syntax, the input is interpreted as executable code rather than as a literal property name, leading to code injection and, ultimately, remote code execution.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H scores this vulnerability at 9.8 (Critical). The impact is severe and comprehensive:
- Confidentiality Impact: HIGH — An attacker can read arbitrary files, extract secrets, or access sensitive data within the application environment.
- Integrity Impact: HIGH — The attacker can modify application data, configuration, or runtime state.
- Availability Impact: HIGH — System processes can be terminated or the host can be rendered unstable.
The CVSS v2 score of 7.5 and an exploitability score of 10.0 further reflect that exploitation requires no authentication and minimal complexity. With network access as the only prerequisite, this vulnerability is trivially exploitable at scale.
Exploitation Walkthrough
Ethics caveat: This section describes the vulnerability mechanism from a defensive perspective. No weaponized exploit code is provided. Organizations should use this information to understand attack surface and prioritize patching.
- Identify the target — Locate a publicly accessible Spring Data REST endpoint that accepts HTTP parameters or a JSON payload bound to a domain object.
- Craft a malicious payload — The attacker constructs a request where a parameter name or JSON key contains an embedded expression. Instead of a benign property path like
username, the input contains a path that the property binder interprets as a dynamic expression. - Submit the request — The payload is sent via an HTTP request (commonly
POST,PUT, orPATCH). Because the endpoint is unauthenticated, no prior access is required. - Server-side evaluation — The property binder processes the malicious path, evaluates the embedded expression, and executes attacker-controlled logic within the JVM process.
- Post-exploitation — Depending on the expression payload and server configuration, this can lead to arbitrary code execution, data exfiltration, or lateral movement.
Defenders should treat any unpatched Spring Data REST endpoint exposed to untrusted networks as high-risk.
Affected and Patched Versions
Affected:
- Spring Data Commons: versions prior to 1.13.10
- Spring Data Commons: 2.0 to 2.0.5
- Spring Data REST (backed by vulnerable Spring Data Commons versions)
- Older unsupported versions
Patched:
- Spring Data Commons 1.13.11 and later (1.13.x line)
- Spring Data Commons 2.0.6 and later (2.0.x line)
- Later major versions incorporating the fix
Additional affected products identified via CPE analysis include Apache Ignite, Oracle Financial Services Crime and Compliance Management Studio (versions 8.0.8.2.0 and 8.0.8.3.0), and other products bundling the vulnerable Spring Data Commons library.
Remediation
- Upgrade immediately — Update Spring Data Commons to a patched version (1.13.11+ or 2.0.6+). If running a modern Spring Boot application, upgrade to the latest Spring Boot patch release, which pulls in corrected dependencies.
- Compensating controls — If immediate patching is not feasible:
- Place the application behind an authenticated API gateway or reverse proxy.
- Restrict network access to the Spring Data REST endpoints to trusted administrative hosts only.
- Implement strict input validation and parameter allow-listing at the edge.
- Disable Spring Data REST exposure for sensitive repositories if not required.
- Dependency scanning — Use software composition analysis (SCA) tools to verify that no transitive dependencies still pull in the vulnerable
spring-data-commonsversions.
Detection
- Network detection — Monitor HTTP request logs for unusual parameter names or JSON keys containing expression-language markers, nested parentheses, or other anomalous patterns against Spring Data REST endpoints.
- Host detection — Look for unexpected child processes spawned by the application server JVM, or outbound network connections initiated by the application process.
- Vulnerability scanning — Validate via authenticated or unauthenticated application scans that check the
spring-data-commonsversion in use. - Runtime Application Self-Protection (RASP) — Deploy RASP agents capable of intercepting dangerous reflection or expression-evaluation calls within the JVM.
Assessment
CVE-2018-1273 is a textbook example of how automatic data-binding convenience can become critical attack surface. An EPSS score of 95.65 % with a 99.86th percentile rank indicates that this vulnerability is among the most likely to be exploited in the wild. Its inclusion in CISA's Known Exploited Vulnerabilities catalog (added 2022-03-25) and the EU exploited vulnerabilities list confirms active, real-world exploitation.
Key lessons:
- Frameworks that dynamically evaluate user input as code paths must implement strict allow-listing and neutralization.
- A vulnerability with AV:N/AC:L/PR:N and an EPSS above 95 % should be treated as an emergency patching item; compensating controls are temporary measures only.
References
- https://pivotal.io/security/cve-2018-1273
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2018-1273
- https://github.com/spring-projects/spring-data-commons/issues/1721
- https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653
- https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432a
- https://github.com/advisories/GHSA-4fq3-mr56-cg6r
- https://github.com/spring-projects/spring-data-commons
- http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
Frequently asked questions
- What is CVE-2018-1273?
- Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.
- How severe is CVE-2018-1273?
- CVE-2018-1273 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2018-1273 being actively exploited?
- Yes. CVE-2018-1273 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2018-1273?
- CVE-2018-1273 primarily affects Broadcom Spring Data Commons. In total, 8 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2018-1273?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2018-1273 have an EU (EUVD) identifier?
- Yes. CVE-2018-1273 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-0500. It is also flagged as exploited in the EUVD (since 2022-03-25).
- When was CVE-2018-1273 published?
- CVE-2018-1273 was published on 2018-04-11 and last updated on 2026-06-26.
References
- http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E
- https://pivotal.io/security/cve-2018-1273
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-1273
Affected products (8)
- cpe:2.3:a:broadcom:spring_data_commons:*:*:*:*:*:*:*:*
- cpe:2.3:a:pivotal_software:spring_data_rest:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:spring_data_rest:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:ignite:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:ignite:1.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:apache:ignite:1.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
More vulnerabilities in Broadcom Spring Data Commons
- CVE-2026-41716 — High (CVSS 7.5): Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys,…
- CVE-2026-41695 — High (CVSS 7.5): Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when…
- CVE-2018-1259 — High (CVSS 7.5): Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or…
- CVE-2018-1274 — High (CVSS 7.5): Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path…
- CVE-2026-41721 — Medium (CVSS 5.9): Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web…
- CVE-2026-41711 — Medium (CVSS 5.9): Applications using Spring Data Commons may be vulnerable to a Denial of Service (DoS) attack leading to a…
All CVEs affecting Broadcom Spring Data Commons →
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.