Spring AI Cypher Injection Vulnerability in Neo4jVectorFilterExpressionConverter
Vulnerability
A Cypher injection vulnerability has been identified in the `spring-ai-neo4j-store` component of Spring AI versions 1.0.0 prior to 1.0.5 and 1.1.0 prior to 1.1.4. The vulnerability arises in the `Neo4jVectorFilterExpressionConverter`, where user-controlled strings can be injected as filter expression keys. The `doKey()` method embeds these keys into a backtick-delimited Cypher property accessor, specifically `node.metadata.`, but only removes double quotes without properly escaping any embedded backticks. This flaw could be exploited to manipulate Cypher queries in unintended ways.
Impact
Exploitation of this vulnerability allows for Cypher injection, where an attacker can manipulate Cypher queries by injecting malicious strings that are not properly sanitized. This could lead to unauthorized data access or modification within the Neo4j database.
Remediation
Users should upgrade to Spring AI version 1.0.5 or 1.1.4, depending on their current version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.