Valtimo Remote Code Execution Vulnerability via Spring Expression Language Injection

A remote code execution vulnerability has been identified in Valtimo, an open-source business process automation platform. This issue affects the 'document', 'case', and 'contract' components across several versions. The vulnerability arises because these components evaluate user-supplied Spring Expression Language (SpEL) expressions using StandardEvaluationContext, which allows unrestricted access to Java types and methods. An authenticated user with the ADMIN role can exploit this to execute arbitrary OS commands and exfiltrate sensitive credentials.

Impact

Exploitation of this vulnerability allows authenticated ADMIN users to execute arbitrary operating system commands, exfiltrate environment variables (including database passwords, API keys, and Keycloak secrets), read Java Virtual Machine system properties, and load arbitrary classes.

Reproduction

The vulnerability can be reproduced by sending a request to the document migration REST API with a malicious SpEL expression in the 'source' or 'target' field of a 'DocumentMigrationPatch' object. Alternatively, in the 'contract' module, the vulnerability can be exploited through any admin-configured widget, dashboard, or feature that uses the 'Condition' framework by supplying a malicious SpEL expression in the 'value' field of the condition's JSON configuration.

Remediation

Users are advised to update to Valtimo versions 12.32.0 or 13.23.0, depending on the affected component.