Expression Language Injection

high Web App Scanning Plugin ID 113317



Expression Language Injection


Expression Language (EL) has been defined as part of the Java Server Pages Standard Tag Library (JSTL) in order to offer developers a simple way to output data from an object model. Starting from the JSP 2.0 specification, Expression Language has been made available within JSP pages, but it is also present in many implementations like :
- Apache Jakarta
- Object-Graph Navigation Language (OGNL) used by Struts and WebWork
- MVFLEX Expression Language (MVEL)
- Spring Expression Language (SPEL)

An Expression Language Injection (ELI) vulnerability exists when an application incorporates unsafe user-controlled inputs which are dynamically evaluated by an expression interpreter.

By injecting a specific payload depending on the expression interpreter used by the application, an attacker can leverage this vulnerability to gain access to sensitive information or to achieve remote code execution on the target server.


Developers should avoid evaluating expressions derived directly from untrusted user inputs to prevent malicious injections. If the application still requires this type of inputs, the user-supplied data should be strictly validated to avoid advanced expression injection by using an allowlist or filtering the usage of special characters.

See Also

Plugin Details

Severity: High

ID: 113317

Type: remote

Family: Injection

Published: 8/8/2022

Updated: 7/6/2023

Scan Template: api, full, pci, scan

Risk Information


Risk Factor: Medium

Score: 4.2


Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: Tenable


Risk Factor: High

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS Score Source: Tenable

Reference Information

CWE: 917

OWASP: 2010-A1, 2013-A1, 2017-A1, 2021-A3

WASC: Improper Input Handling

CAPEC: 10, 101, 108, 120, 13, 135, 14, 24, 250, 267, 273, 28, 3, 34, 42, 43, 45, 46, 47, 51, 52, 53, 6, 64, 67, 7, 71, 72, 76, 78, 79, 8, 80, 83, 84, 9


HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10


OWASP ASVS: 4.0.2-5.2.5

PCI-DSS: 3.2-6.5.1