Dromara Warm-Flow Remote Code Execution Vulnerability via Unvalidated SpEL Expression Injection
Vulnerability
A remote code execution vulnerability exists in Dromara Warm-Flow versions through 1.8.4. The issue arises in the Workflow Definition Handler, specifically within the SpelHelper.parseExpression method. The vulnerability allows for code injection by manipulating the listenerPath, skipCondition, and permissionFlag arguments. Exploitation can be performed remotely, and a public exploit is available.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the server where Warm-Flow is running.
Reproduction
To reproduce this vulnerability, first, upload a workflow definition containing a malicious Spring Expression Language (SpEL) payload into the listenerPath, skipCondition, or permissionFlag fields via the /warm-flow/save-json endpoint. Once the workflow is saved, publish and start it through the business system that integrates Warm-Flow. This will trigger the execution of the injected SpEL expressions, leading to remote code execution on the server.
Remediation
Users are advised to update to the latest version of Dromara Warm-Flow, as this vulnerability has been fixed in version 1.8.5.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.