High severityOSV Advisory· Published Nov 20, 2024· Updated Apr 15, 2026
CVE-2024-49203
CVE-2024-49203
Description
Querydsl 5.1.0 and OpenFeign Querydsl 6.8 allows SQL/HQL injection in orderBy in JPAQuery. NOTE: this is disputed by a Querydsl community member because the product is not intended to defend against a developer who uses untrusted input directly in query construction.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.github.openfeign.querydsl:querydsl-jpaMaven | >= 6.0.0.M1, < 6.10.1 | 6.10.1 |
io.github.openfeign.querydsl:querydsl-aptMaven | >= 6.0.0.M1, < 6.10.1 | 6.10.1 |
io.github.openfeign.querydsl:querydsl-jpaMaven | < 5.6.1 | 5.6.1 |
io.github.openfeign.querydsl:querydsl-aptMaven | < 5.6.1 | 5.6.1 |
com.querydsl:querydsl-jpaMaven | <= 5.1.0 | — |
com.querydsl:querydsl-aptMaven | <= 5.1.0 | — |
Affected products
1Patches
3818f62b33e500e99543f76fd37bf80a75477Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-6q3q-6v5j-h6vgnvdADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-49203ghsaADVISORY
- github.com/OpenFeign/querydsl/releases/tag/5.6.1nvdWEB
- github.com/OpenFeign/querydsl/releases/tag/6.10.1nvdWEB
- github.com/OpenFeign/querydsl/security/advisories/GHSA-6q3q-6v5j-h6vgghsaWEB
- github.com/querydsl/querydsl/issues/3757nvdWEB
- github.com/querydsl/querydsl/releases/tag/QUERYDSL_5_1_0nvdWEB
- www.csirt.sk/querydsl-java-library-vulnerability-permits-sql-hql-injection.htmlnvdWEB
- github.com/OpenFeign/querydsl/pull/742nvd
- github.com/OpenFeign/querydsl/pull/743nvd
- github.com/spring-projects/spring-data-jpa/issues/3693nvd
News mentions
0No linked articles in our index yet.