CVE-2018-1270

CRITICAL

Spring Framework < 4.3.16 and 5.0 < 5.0.5 - Remote Code Execution via STOMP over WebSocket

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2018-1270. PoCs published by CaledoniaProject, Venscor, tafamace.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2018-1270, demonstrating remote code execution via SpEL injection in Spring Messaging's STOMP selector. The exploit leverages a malicious selector in a WebSocket subscription to execute arbitrary commands.

Description

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Exploits (4)

nomisec WORKING POC 113 stars
by CaledoniaProject · poc
https://github.com/CaledoniaProject/CVE-2018-1270

This repository contains a functional proof-of-concept for CVE-2018-1270, demonstrating remote code execution via SpEL injection in Spring Messaging's STOMP selector. The exploit leverages a malicious selector in a WebSocket subscription to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Spring Framework 5.0 to 5.0.4, Spring Framework 4.3 to 4.3.14
No auth needed
Prerequisites: Target must be using spring-messaging with WebSocket and STOMP
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Venscor · poc
https://github.com/Venscor/CVE-2018-1270

This repository demonstrates CVE-2018-1270, a Spring WebSocket STOMP message broker vulnerability allowing SpEL injection for RCE. The PoC includes a Spring Boot application with WebSocket configuration and a client-side JavaScript exploit.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Spring Framework (WebSocket STOMP)
No auth needed
Prerequisites: Network access to vulnerable Spring WebSocket endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by tafamace · poc
https://github.com/tafamace/CVE-2018-1270

The provided code is a simple Java stub that prints command-line arguments and does not demonstrate any exploit functionality for CVE-2018-1270. It lacks any offensive techniques or vulnerability-specific logic.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Tom4t0 · poc
https://github.com/Tom4t0/CVE-2018-1270_EXP

This PoC exploits CVE-2018-1270, a Spring Data Commons remote code execution vulnerability via STOMP over WebSocket. It constructs a malicious SpEL expression in the 'selector' header to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Spring Data Commons (versions before 1.13.11, 2.0.6)
No auth needed
Prerequisites: STOMP over WebSocket endpoint exposed · Spring Data Commons vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (16)

Core 16
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2939
Broken Link, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44796/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/103696
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2020.html
Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2018-1270
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html

Scores

CVSS v3 9.8
EPSS 0.8935
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-358 CWE-94
Status published
Products (50)
debian/debian_linux 9.0
oracle/application_testing_suite 12.5.0.3
oracle/application_testing_suite 13.1.0.1
oracle/application_testing_suite 13.2.0.1
oracle/application_testing_suite 13.3.0.1
oracle/big_data_discovery 1.6.0
oracle/communications_converged_application_server < 7.0.0.1
oracle/communications_diameter_signaling_router < 8.3
oracle/communications_performance_intelligence_center < 10.2.1
oracle/communications_services_gatekeeper < 6.1.0.4.0
... and 40 more
Published Apr 06, 2018
Tracked Since Feb 18, 2026