Spring Boot Admins integrated FeiShu notifier support allows arbitrary code execution

[cybervuln2077]

Spring Boot Admin Server information

• Version:
  <=3.5.6

• Spring Boot version:
  3.5.7

• Configured Security:
  Attack requires an actor who can modify the Admin Server’s external configuration (files, env vars, config server, etc.).

• Webflux or Servlet application:
  Servlet-based Spring Boot Admin Server (FeiShu notifier is implemented on top of the standard Spring MVC stack).

Client information

• Spring Boot versions:
  Affects monitored instances independent of their Spring Boot version, as the vulnerability is located in the Admin Server’s FeiShuNotifier implementation, not in the clients.
• Used discovery mechanism:
  Self-registration / Kubernetes / Eureka, etc. — not security‑relevant for this issue.
• Webflux or Servlet application:
  Clients can be either WebFlux or Servlet; the issue is in the Admin Server only.

Description

Summary

Title: SpEL Injection in FeiShuNotifier Leads to Remote Code Execution
Severity: High
Component: de.codecentric.boot.admin.server.notify.FeiShuNotifier (Spring Boot Admin Server)

The FeiShu notifier (FeiShuNotifier) uses the Spring Expression Language (SpEL) engine to render notification message templates.
The message template is configurable via the external property spring.boot.admin.notify.feishu.message.
The current implementation parses this user-controlled template into a SpEL expression and later evaluates it with a high-privilege StandardEvaluationContext without any restrictions.

An attacker who can modify the Admin Server’s configuration (configuration files, environment variables, remote config server, etc.) can inject arbitrary SpEL expressions.
When a FeiShu notification is sent, the injected expression is evaluated with full access to the application runtime, leading to remote code execution (RCE) on the Admin Server.

The root cause of this issue is conceptually similar to the previously disclosed vulnerability in Spring Boot Admin’s integrated notifier support (CVE-2022-46166, advisory [GHSA-w3x5-427h-wfq6](https://github.com/codecentric/spring-boot-admin/security/advisories/GHSA-w3x5-427h-wfq6)), where user-influenced SpEL expressions in notifier components were evaluated with an overly powerful evaluation context, allowing arbitrary code execution.

Impact

• Confidentiality: Full read access to process memory and secrets is possible (e.g. environment variables, configuration, database credentials) via SpEL.
• Integrity: Arbitrary code execution allows modification of application state, tampering with monitored instances, or pivoting further into the infrastructure.
• Availability: An attacker can shut down the JVM, spawn resource‑exhausting processes, or otherwise cause denial of service.

This vulnerability therefore enables an authenticated or otherwise configuration-capable actor to fully compromise the Spring Boot Admin Server host.

Technical details

Vulnerability chain

The data flow from external configuration to code execution is as follows:

1. Source (configuration input)
   An attacker sets a malicious template string in an external configuration source:

   # application.properties
   spring.boot.admin.notify.feishu.message=#{T(java.lang.Runtime).getRuntime().exec('calc')}

2. Configuration binding
   Spring Boot’s @ConfigurationProperties("spring.boot.admin.notify.feishu") automatically binds the above value to the message field of the FeiShuNotifier bean.

3. Entry point (expression parsing)
   When this Spring Boot Admin component is combined with other components, the setMessage method can be invoked with untrusted data coming from external components; this untrusted string is then parsed directly as a SpEL expression and stored, which can be abused to trigger severe RCE attacks:

   // de.codecentric.boot.admin.server.notify.FeiShuNotifier.java
   public void setMessage(String message) {
       // The user-controlled 'message' parameter is directly parsed as a SpEL expression.
       this.message = this.parser.parseExpression(message, ParserContext.TEMPLATE_EXPRESSION);
   }

   In the same configuration binding process, the FeiShu notifier also exposes a writable messageType property that is fully controlled by external configuration:

   // de.codecentric.boot.admin.server.notify.FeiShuNotifier.java
   public void setMessageType(MessageType messageType) {
       this.messageType = messageType;
   }

   Because messageType is bound from configuration without validation, an attacker who can change configuration can force the notifier to use the template-based rendering path that evaluates the malicious SpEL expression, making setMessageType an additional exploitable configuration entry in the overall attack chain.

4. Sink (expression evaluation / RCE)
   When a notification is created, the stored expression is evaluated using a powerful StandardEvaluationContext:

   // de.codecentric.boot.admin.server.notify.FeiShuNotifier.java
   private String createContent(InstanceEvent event, Instance instance) {
       Map<String, Object> root = new HashMap<>();
       root.put("event", event);
       root.put("instance", instance);
       root.put("lastStatus", this.getLastStatus(event.getInstance()));
       // 1. A dangerous, full-permission SpEL context is created.
       StandardEvaluationContext context = new StandardEvaluationContext(root);
       context.addPropertyAccessor(new MapAccessor());
       // 2. This context is used to execute the potentially malicious expression from the configuration, leading to RCE.
       return this.message.getValue(context, String.class);
   }

Because StandardEvaluationContext is not restricted, the expression has access to java.lang.Runtime and other critical APIs, enabling arbitrary command execution on the server.

Steps to reproduce

1. Deploy a Spring Boot Admin Server with the FeiShu notifier enabled.

2. Configure the following property via any external configuration source that the server trusts:

   spring.boot.admin.notify.feishu.message=#{T(java.lang.Runtime).getRuntime().exec('calc')}

3. Trigger any event that causes the Admin Server to send a FeiShu notification (e.g. a registered instance changes status).

4. Observe that the operating system command (calc in the example) is executed on the Admin Server host, confirming RCE.

Affected configuration

• FeiShu notifier is enabled and active.
• The Admin Server uses FeiShuNotifier with a message template configured via external configuration (properties, YAML, environment variables, config server, etc.).
• The actor is able to modify the configuration that feeds spring.boot.admin.notify.feishu.message.

Suggested remediation

The core problem is the use of StandardEvaluationContext for evaluating a user-configurable expression. The recommended fix is to replace StandardEvaluationContext with a restricted SimpleEvaluationContext, which disables access to arbitrary Java types and methods and only allows controlled property access.

[cdprete]

It seems to be the same of GHSA-w3x5-427h-wfq6

[cybervuln2077]

It seems to be the same of GHSA-w3x5-427h-wfq6

Yes, they are based on the same root cause.

[cdprete]

It seems to be the same of GHSA-w3x5-427h-wfq6

Yes, they are based on the same root cause.

I think that potentially all the notifiers have this issue.

[SteKoe]

Hi, other Notifiers are not affected. The linked CVE has been resolved in 320eab1. Feishu was added later on and we missed to check for the use of StandardExecutionContext when we merged the PR.

[cybervuln2077]

Thank you for the quick fix! I appreciate the team's responsiveness and commitment to security. Looking forward to contributing more in the future. 🙏