GHSA-VP6R-9M58-5XV8

Vulnerability from github – Published: 2026-04-16 21:31 – Updated: 2026-04-16 21:31
VLAI?
Summary
OmniFaces: EL injection via crafted resource name in wildcard CDN mapping
Details

Impact

Server-side EL injection leading to Remote Code Execution (RCE). Affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example.com/*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side.

The severity depends on the EL implementation and the objects available in the EL context. In the worst case this leads to Remote Code Execution (RCE). At minimum it allows information disclosure and denial of service.

Applications using CDNResourceHandler without wildcard mappings (i.e. only explicit resource-to-URL mappings) are not affected.

Patches

Fixed in versions 5.2.3, 4.7.5, 3.14.16, 2.7.32, and 1.14.2. Users should upgrade to the appropriate version for their branch.

Workarounds

Replace wildcard CDN mappings with explicit resource-to-URL mappings. For example, replace:

libraryName:*=https://cdn.example.com/*

with individual entries:

libraryName:resource1.js=https://cdn.example.com/resource1.js,
libraryName:resource2.js=https://cdn.example.com/resource2.js
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.omnifaces:omnifaces"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.omnifaces:omnifaces"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0-RC1"
            },
            {
              "fixed": "2.7.32"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.omnifaces:omnifaces"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0-RC1"
            },
            {
              "fixed": "3.14.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.omnifaces:omnifaces"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0-M1"
            },
            {
              "fixed": "4.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 5.2.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.omnifaces:omnifaces"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0-M1"
            },
            {
              "fixed": "5.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:31:14Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nServer-side EL injection leading to Remote Code Execution (RCE). Affects applications that use `CDNResourceHandler` with a wildcard CDN mapping (e.g. `libraryName:*=https://cdn.example.com/*`). An attacker can craft a resource request\nURL containing an EL expression in the resource name, which is evaluated server-side.\n\nThe severity depends on the EL implementation and the objects available in the EL context. In the worst case this leads to Remote Code Execution (RCE). At minimum it allows information disclosure and denial of service.\n\nApplications using `CDNResourceHandler` without wildcard mappings (i.e. only explicit resource-to-URL mappings) are **not** affected.\n\n### Patches\n\nFixed in versions 5.2.3, 4.7.5, 3.14.16, 2.7.32, and 1.14.2. Users should upgrade to the appropriate version for their branch.\n\n### Workarounds\n\nReplace wildcard CDN mappings with explicit resource-to-URL mappings. For example, replace:\n```\nlibraryName:*=https://cdn.example.com/*\n```\nwith individual entries:\n```\nlibraryName:resource1.js=https://cdn.example.com/resource1.js,\nlibraryName:resource2.js=https://cdn.example.com/resource2.js\n```",
  "id": "GHSA-vp6r-9m58-5xv8",
  "modified": "2026-04-16T21:31:14Z",
  "published": "2026-04-16T21:31:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/omnifaces/omnifaces/security/advisories/GHSA-vp6r-9m58-5xv8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/omnifaces/omnifaces"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OmniFaces: EL injection via crafted resource name in wildcard CDN mapping"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.