Apache ShenYu 2.4.1 Groovy Code Injection & SpEL Injection
Description
Apache ShenYu 2.4.0 and 2.4.1 allow RCE via Groovy and SpEL injection in selector/rule condition matching, fixed in 2.4.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache ShenYu 2.4.0 and 2.4.1 allow RCE via Groovy and SpEL injection in selector/rule condition matching, fixed in 2.4.2.
Vulnerability
Apache ShenYu (incubating) versions 2.4.0 and 2.4.1 contain a remote code execution vulnerability due to improper sanitization of user-supplied expressions in the plugin selector and rule condition matching functionality [2][3]. The application allows administrators to define custom selectors and rules with conditions such as match = regEx like contain SpEL Groovy. When these expressions are processed, the server calls parseExpression (for SpEL) and Eval.me (for Groovy) without any filtering [3], enabling injection of arbitrary code into these evaluation contexts [2][3].
Exploitation
An attacker with administrative access to the ShenYu Admin dashboard or API can craft a selector or rule condition that includes malicious Groovy or SpEL code [3]. The attacker must have the ability to create or modify selectors and rules, which typically requires authentication as an admin user [3]. Once the malicious rule is saved and triggered by an incoming request (or during rule evaluation), the injected code is executed on the server where the ShenYu Admin or Bootstrap component evaluates the condition [2][3]. No additional user interaction beyond administrator action is required [3].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the Apache ShenYu application process [2][3]. This can lead to full compromise of the server, including data exfiltration, lateral movement within the network, and further attacks on connected services [2]. The impact is rated as moderate severity by the project [3], but the remote code execution capability gives an attacker complete control over the application and possibly the underlying host [2].
Mitigation
The vulnerability is fixed in Apache ShenYu version 2.4.2 [3]. Users running versions 2.4.0 or 2.4.1 should upgrade to 2.4.2 as soon as possible [3]. The fix can also be applied via the patch available at the project's GitHub pull request #2576 [3]. There is no known workaround for unpatched versions; the only mitigation is to restrict administrative access to trusted users and apply the update [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shenyu:shenyu-commonMaven | >= 2.4.0, < 2.4.2 | 2.4.2 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-gh38-x2wm-xmc8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45029ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/25/8ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2022/01/26/1ghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread/3zzmwvg3012tg306x8o893fvdcssx639ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.