cwe-917-expression-language-injection

star 1

Use this skill when you need to remediate CWE-917 (Expression Language Injection) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing expression language injection issues.

DevelopersCoffee By DevelopersCoffee schedule Updated 3/6/2026
play_arrow Run Skill in Manus View GitHub

name: cwe-917-expression-language-injection description: Use this skill when you need to remediate CWE-917 (Expression Language Injection) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing expression language injection issues. version: 1.0.0 license: MIT tags:

  • security

  • java

  • cwe-917

  • remediation

  • sast

  • expression-injection

  • spel

  • injection

CWE-917 Expression Language Injection

Description

Expression Language Injection

Reference: https://cwe.mitre.org/data/definitions/917.html

OWASP Category: A03:2021 – Injection

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Using StandardEvaluationContext allows access to dangerous types
StandardEvaluationContext context = new StandardEvaluationContext();
context.setVariable("input", userInput);
Expression expression = parser.parseExpression(userExpression);
Object result = expression.getValue(context);

Why it's vulnerable: This pattern is vulnerable to Expression Language Injection

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: SimpleEvaluationContext restricts type access
SimpleEvaluationContext context = SimpleEvaluationContext
    .forReadOnlyDataBinding()
    .withInstanceMethods()
    .build();
// Only allow safe expressions, reject user-controlled expression strings
Expression expression = parser.parseExpression(PREDEFINED_EXPRESSION);
Object result = expression.getValue(context, targetObject);

Why it's secure: Implements proper protection against Expression Language Injection

Detection Pattern

Look for these patterns in your codebase:

# Find StandardEvaluationContext usage
grep -rn "StandardEvaluationContext" --include="*.java"

# Find SpEL parsing with user input
grep -rn "parseExpression" --include="*.java" | grep -E "getParameter|request"

Remediation Steps

  1. Replace StandardEvaluationContext with SimpleEvaluationContext

  2. Use forReadOnlyDataBinding() to restrict property access

  3. Never parse user-controlled expression strings

  4. Whitelist allowed expression patterns if dynamic expressions are required

Key Imports


import org.springframework.expression.spel.support.SimpleEvaluationContext;

import org.springframework.expression.spel.standard.SpelExpressionParser;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-917 vulnerability
Resolve Expression Language Injection issue
Secure this Java code against expression language injection
SAST reports CWE-917

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Install via CLI
npx skills add https://github.com/DevelopersCoffee/java-cwe-security-skills --skill cwe-917-expression-language-injection
Repository Details
star Stars 1
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
DevelopersCoffee
DevelopersCoffee Explore all skills →