UNKNOWNCVE-2026-22743
Spring AI has a Cypher Injection vulnerability in Neo4jVectorFilterExpressionConverter
Platform
java
Component
org.springframework.ai:spring-ai-neo4j-store
Fixed in
1.0.5
Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store, doKey() embeds the key into a backtick-delimited Cypher property accessor (node.`metadata.`) after stripping only double quotes, without escaping embedded backticks. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
How to fix
Actualice la dependencia spring-ai-neo4j-store a la versión 1.0.5 o superior si está utilizando la rama 1.0.x, o a la versión 1.1.4 o superior si está utilizando la rama 1.1.x. Esto corrige la vulnerabilidad de inyección Cypher. Verifique las notas de la versión para obtener detalles adicionales sobre la actualización.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free