Spring Data REST processes JSON Patch requests that may contain map-typed properties. When a map key is used, the key is incorporated unvalidated into a SpEL expression. This vulnerability is a classic Expression Language Injection (CWE-917) that can allow an attacker to execute arbitrary server-side code or modify database records. The exploit requires crafting a JSON Patch payload with a map key that contains a malicious SpEL expression and sending it to an exposed REST endpoint. As the CVSS score is 8.1 and the EPSS score is not available, the exploitation likelihood remains uncertain, but the potential impact is high. This vulnerability is not listed in the CISA KEV catalog.

Spring Data REST 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5 are affected. The vendor responsible is Spring: Spring Data REST. Any application that includes these library versions and exposes endpoints that accept JSON Patch requests is at risk.

The vulnerability stems from unsanitized embedding of a map key into a SpEL expression. An attacker who can control the JSON Patch payload may trigger arbitrary code execution or unauthorized data manipulation. The high CVSS score indicates significant severity, but the absence of an EPSS metric means exploitation probabilities are unclear. The exploit path is via application/json-patch+json requests, so any publicly exposed endpoint that accepts such traffic is a potential entry point. This issue is not listed in the CISA KEV catalog, suggesting that no public exploit has been observed, but the impact warrants immediate attention.