CVE-2016-4977

HIGH EXPLOITED NUCLEI

Spring Security OAuth 1.0.0-1.0.5 and 2.0.0-2.0.9 - Remote Code Execution via response_type Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2016-4977 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including tpt11fb, N0b1e6. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Burp Suite plugin named SpringVulScan designed to detect Spring framework vulnerabilities, including CVE-2022-22965. It includes DNS-based and callback-based detection mechanisms for various Spring CVEs.

Description

When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.

Exploits (2)

nomisec SCANNER 154 stars
by tpt11fb · poc
https://github.com/tpt11fb/SpringVulScan

This repository contains a Burp Suite plugin named SpringVulScan designed to detect Spring framework vulnerabilities, including CVE-2022-22965. It includes DNS-based and callback-based detection mechanisms for various Spring CVEs.

Classification
Scanner 95%
Attack Type
Info Leak | Rce
Complexity
Moderate
Reliability
Reliable
Target: Spring Framework (various versions)
No auth needed
Prerequisites: Burp Suite · Network access to target · DNS resolution for callback detection
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by N0b1e6 · remote
https://github.com/N0b1e6/CVE-2016-4977-POC

This PoC demonstrates a SpEL (Spring Expression Language) injection vulnerability in Spring Security OAuth, allowing arbitrary command execution via crafted expressions. The script generates a payload that leverages Java Runtime.exec to execute commands based on user input.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Spring Security OAuth (versions affected by CVE-2016-4977)
No auth needed
Prerequisites: Target application using vulnerable Spring Security OAuth version · Ability to inject SpEL expressions into user-controlled input
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Spring Security OAuth2 Remote Command Execution
HIGHby princechaddha

References (6)

Core 6
Core References
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/10/16/1
Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2016-4977

Scores

CVSS v3 8.8
EPSS 0.9366
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-08-14
CWE
CWE-19
Status published
Products (19)
org.springframework.security.oauth/spring-security-oauth2 2.0.0 - 2.0.10Maven
Pivotal/Spring Security OAuth 1.0.0 to 1.0.5
Pivotal/Spring Security OAuth 2.0.0 to 2.0.9
pivotal/spring_security_oauth 1.0.0
pivotal/spring_security_oauth 1.0.1
pivotal/spring_security_oauth 1.0.2
pivotal/spring_security_oauth 1.0.3
pivotal/spring_security_oauth 1.0.4
pivotal/spring_security_oauth 1.0.5
pivotal/spring_security_oauth 2.0.0
... and 9 more
Published May 25, 2017
Tracked Since Feb 18, 2026