Spring AI applications utilizing SimpleVectorStore are vulnerable to critical remote code execution if they allow user-controlled input to define filter expression keys.

The vulnerability is a Spring Expression Language (SpEL) injection. When an application uses SimpleVectorStore and passes unvalidated user input as a key in a filter expression, a remote attacker can inject malicious SpEL expressions that are evaluated by the server, resulting in arbitrary code execution.

Exploitation of this vulnerability allows for unauthenticated remote code execution (RCE) depending on how the application exposes its search or filtering functionality. With a CVSS score of 9.8, the risk involves complete system takeover, data theft, and potential use of the server for further internal network attacks.

Immediate Action: Update Spring AI to version 1.0.5, 1.1.4, or later. Ensure that no user-supplied data is directly used as a key in filter expressions.

Proactive Monitoring: Monitor for application errors related to SpEL parsing and audit code for any dynamic expression building using external inputs.

Compensating Controls: Implement strict input validation or use an allowlist for filter keys to prevent the injection of special characters used in SpEL expressions.

Public Exploit Available: false

SpEL injection is a well-known and highly dangerous vulnerability class. Developers using Spring AI must update their dependencies immediately and review their implementation of SimpleVectorStore to ensure secure input handling practices are followed.