Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Weakness ID: 917 (Weakness Base)Status: Incomplete
+ Description

Description Summary

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
+ Alternate Terms
EL Injection
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Common Consequences

Technical Impact: Read application data


Technical Impact: Execute unauthorized code or commands

+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class77Improper Neutralization of Special Elements used in a Command ('Command Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
+ Relationship Notes

In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.

+ References
Stefano Di Paola and Arshan Dabirsiaghi. "Expression Language Injection". <>.
Dan Amodio. "Remote Code with Expression Language Injection". 2012-12-14. <>.
+ Content History
Submission DateSubmitterOrganizationSource
2013-02-15MITREInternal CWE Team
Contribution DateContributorOrganizationSource
2013-02-15Dan Amodio, Dave WichersAspect SecurityFeedback
Suggested adding this weakness and provided references.
Page Last Updated: July 30, 2014