Expression Language Injection

Impact: High


Expression Language Injection (EL Injection) is a critical vulnerability that occurs when user inputs are used to construct dynamic expressions in web applications without proper validation. Attackers exploit EL Injection to modify server-side expressions, potentially extracting sensitive information or executing commands on the server.


To mitigate EL Injection, avoid constructing expressions directly from user inputs. If using the Spring Framework, disable double resolution functionality. Additionally, for templating engines, refrain from using user inputs to build templates.


Last updated on May 13, 2024

This issue is available in SmartScanner Professional

See Pricing