| Title | baomidou dynamic-datasource 2.5.0+ SpEL Injection |
|---|
| Description | dynamic-datasource evaluates @DS values as SpEL expressions in DsSpelExpressionProcessor#doDetermineDatasource using StandardEvaluationContext and SpelExpressionParser without input restriction. When applications use patterns like @DS("#tenant") and bind tenant from untrusted request input, attacker-controlled expressions can be evaluated at runtime. This enables expression injection and can lead to remote code execution depending on runtime exposure and expression payload. |
|---|
| Source | ⚠️ https://github.com/baomidou/dynamic-datasource/issues/766 |
|---|
| User | Winegee (UID 96308) |
|---|
| Submission | 04/07/2026 09:39 (19 days ago) |
|---|
| Moderation | 04/25/2026 18:10 (18 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 359624 [baomidou dynamic-datasource 2.5.0 StandardEvaluationContext/SpelExpressionParser DsSpelExpressionProcessor.java DsSpelExpressionProcessor#doDetermineDatasource injection] |
|---|
| Points | 20 |
|---|