Impact
Spring AI Vector Stores lack proper filtering of metadata that contains special characters. The flaw allows an attacker to inject arbitrary query fragments into the underlying Elasticsearch, OpenSearch, or GemFire VectorDB queries. The injection can lead to unintended data retrieval or manipulation, effectively giving the attacker the ability to execute arbitrary searches or commands against the datastore. The weakness is categorized as CWE‑943 for insecure handling of output or input.
Affected Systems
Components spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store in Spring AI are affected. All releases from 1.0.0 through 1.0.x (fixed in 1.0.9) and 1.1.0 through 1.1.x (fixed in 1.1.8) carry the vulnerability. Applications incorporating these stores and exposing metadata handling are susceptible.
Risk and Exploitability
The CVSS score of 8.6 classifies the vulnerability as high severity, while the EPSS score of less than 1 % indicates a low exploitation probability. The issue is not listed in CISA’s KEV catalog. Attackers likely embed malicious query fragments in metadata sent through API endpoints. Successful exploitation could enable arbitrary search queries against the datastore and may lead to data disclosure or denial of service. Prompt remediation is recommended despite the low expected exploitation rate.
OpenCVE Enrichment