CVE-2024-38808 - Exploiting SpEL for DoS in Spring Framework (Simple Explanation & Example)

In June 2024, the Spring Framework team announced a critical vulnerability in Spring Framework versions 5.3. – 5.3.38 (including some older, unsupported versions). Tracked as CVE-2024-38808, this bug lets an attacker send a malicious Spring Expression Language (SpEL) expression that causes the application to hang or crash—denial of service (DoS).

If your app lets users input SpEL expressions (directly or indirectly), you might be exposed.

What is SpEL?

SpEL stands for Spring Expression Language. It is a language used in the Spring Framework to query and manipulate objects at runtime, often used for templating, configuration, or dynamic features.

Example usage in Java

ExpressionParser parser = new SpelExpressionParser();
Expression expr = parser.parseExpression("2 + 2");
int result = expr.getValue(Integer.class);  // result = 4

How CVE-2024-38808 Works

Some applications allow users to craft or alter SpEL expressions—for example, in search or filter features, or via custom scripting in APIs.

If the app evaluates user-controlled SpEL, an attacker can supply complex expressions that take a long time to execute or create infinite loops. This eats up CPU, memory, or other resources, leading to slowdowns or full outages—a textbook DoS attack.

A simple multiplication isn't dangerous

2 * 2

A dangerous SpEL expression could be

new java.math.BigInteger("42").pow(999999999)

This tries to compute 42 to the power of nearly a billion! Evaluating this will eat up massive CPU and RAM, possibly locking up the whole server.

Example vulnerable code

@GetMapping("/evaluate")
@ResponseBody
public String evaluate(@RequestParam String expression) {
    ExpressionParser parser = new SpelExpressionParser();
    // WARNING: Directly evaluates untrusted input!
    Object result = parser.parseExpression(expression).getValue();
    return String.valueOf(result);
}

Attacker's request (expression parameter)

/evaluate?expression=new java.math.BigInteger("42").pow(999999999)

Or using recursive function calls

/evaluate?expression={"".getClass().forName("java.lang.Thread").sleep(100000)}

This hangs the application, blocks the thread, and can bring down the server with enough requests.

Links and Further Reading

- Official Spring announcement: Spring Framework 5.3.39+ Security Advisory
- CVE details: NVD entry for CVE-2024-38808
- About SpEL in Spring Docs: SpEL Reference
- Exploit tweet example: CVE-2024-38808 Twitter Thread

How to Protect Yourself

Immediate fix:
Upgrade to Spring Framework 5.3.39 or later.

Conclusion

CVE-2024-38808 is simple to understand and easy to prevent—but dangerous if left open.
If you’re accepting user SpEL, treat it as if you’re letting users run code on your server.

Upgrade now, and fix your code paths!

If you need a proof-of-concept or want help identifying vulnerable code, get in touch with project maintainers or your company’s security team. Stay safe!

Timeline

Published on: 08/20/2024 08:15:05 UTC
Last modified on: 08/20/2024 15:44:20 UTC