Spring Data MongoDB contains an injection flaw that allows a malicious actor to embed Spring Expression Language (SpEL) payloads into annotated query parameters. The issue is triggered when a repository method annotated with @Query uses a capture‑all placeholder for user input. An attacker can supply a crafted value that evaluates to arbitrary code or commands during query construction, compromising confidentiality, integrity, and potentially availability of the target application. The weakness is categorized as CWE‑917, an expression injection vulnerability.

The flaw affects all versions of Spring Data MongoDB from 3.4.0 through 5.0.5, including the sub‑series 4.0.x, 4.1.x, 4.2.x, 4.3.x, 4.4.x, 4.5.x, and 5.0.x. Any deployment that relies on Spring’s repository query methods with @Query and user‑supplied placeholders is vulnerable.

The CVSS score of 8.1 indicates a high severity with a potential for remote code execution when the vulnerable query is executed in a context with application privileges. While the EPSS score is not available, the lack of a KEV listing suggests no mass exploitation has been observed yet, but the risk remains significant for systems exposed to untrusted input. The likely attack vector is the application layer, where developers or data providers supply query parameters that are not properly sanitized, leading to successful expression injection.