Spring4shell in Express with Basic Auth
Spring4shell in Express with Basic Auth — how this specific combination creates or exposes the vulnerability
Spring4Shell (CVE-2022-22965) targets a Remote Code Execution (RCE) vulnerability in Spring Framework applications using certain versions when classpath scanning is enabled. While the exploit is commonly discussed in the context of Spring MVC or Spring Boot, the risk profile changes when an API is fronted by an Express gateway that uses Basic Auth and proxies requests to a vulnerable Spring backend.
In this combination, Express acts as an unauthenticated entry point that terminates TLS and performs Basic Auth. If Express proxies requests (for example via http proxying or by forwarding credentials and body) to a Spring application that is vulnerable to Spring4Shell, the attack surface expands. An attacker can send a malicious Content-Type header (such as a crafted application/x-www-form-urlencoded or multipart/form-data payload) through the Express endpoint. Because Express may pass headers and the request body through without validating or sanitizing them, the malicious payload reaches the Spring application, triggering remote code execution on the server-side runtime.
Basic Auth in this context does not mitigate the issue; it only adds a layer of access control at the gateway. If credentials are leaked (for example via logs or error messages), or if the Express layer incorrectly forwards authorization headers to the backend, the attacker may still deliver the exploit. Moreover, because middleBrick scans the unauthenticated attack surface, it can detect the presence of a vulnerable Spring endpoint even when Basic Auth is present upstream, especially if the proxy forwards requests without stripping or re-validating credentials. The scanner’s checks for Input Validation, Property Authorization, and SSRF are particularly relevant here: they test whether headers and parameters are improperly trusted when proxied, and whether file descriptors or runtime evaluation features (such as SpEL) are exposed to user-controlled data.
Another concern is the interaction with API discovery and Inventory Management. If the Express layer exposes internal endpoints or documentation (such as /actuator or /swagger endpoints) that should remain internal, middleBrick’s Inventory Management and Data Exposure checks can identify unintended information disclosure. This becomes critical when OpenAPI specs or runtime introspection reveal Spring-specific endpoints that may be vulnerable to Spring4Shell-style exploitation through crafted payloads.
Basic Auth-Specific Remediation in Express — concrete code fixes
To reduce risk when using Basic Auth in Express, ensure strict header and payload handling, avoid forwarding sensitive metadata to downstream services, and validate inputs before proxying. Below are concrete, working examples that demonstrate secure patterns.
Example 1: Basic Auth middleware with header sanitization before proxying
const express = require('express');
const basicAuth = require('express-basic-auth');
const { createProxyMiddleware } = require('http-proxy-middleware');
const app = express();
// Enforce Basic Auth for all incoming requests
app.use(basicAuth({
users: { 'admin': process.env.BASIC_AUTH_PASSWORD },
challenge: true,
realm: 'Restricted API',
}));
// Strip sensitive headers before forwarding to backend
app.use('/api', createProxyMiddleware({
target: 'http://spring-backend:8080',
changeOrigin: true,
onProxyReq: (proxyReq, req, res) => {
// Remove authorization headers to avoid leaking credentials to backend
proxyReq.setHeader('X-Forwarded-User', req.auth.user);
proxyReq.setHeader('X-Forwarded-Token', 'redacted');
},
// Avoid forwarding authorization headers downstream
ignorePath: false,
xfwd: false,
secure: true,
logLevel: 'warn',
}));
app.listen(3000, () => console.log('Gateway running on port 3000'));
Example 2: Input validation and content-type restrictions to limit exploitability
const express = require('express');
const bodyParser = require('body-parser');
const basicAuth = require('express-basic-auth');
const app = express();
// Apply Basic Auth
app.use(basicAuth({
users: { 'apiuser': process.env.BASIC_AUTH_PASS },
challenge: true,
}));
// Limit body size and be explicit about accepted content types
app.use(bodyParser.urlencoded({ extended: false, limit: '10kb' }));
app.use(bodyParser.json({ limit: '10kb' }));
// Middleware to reject unexpected Content-Types for API routes
app.use('/api', (req, res, next) => {
const ctype = req.get('Content-Type') || '';
if (!ctype.startsWith('application/x-www-form-urlencoded') &&
!ctype.startsWith('application/json')) {
return res.status(415).send('Unsupported Media Type');
}
next();
});
app.post('/api/forward', (req, res) => {
// Validate and sanitize payload before forwarding
const safeBody = Object.keys(req.body).reduce((acc, key) => {
const val = req.body[key];
if (typeof val === 'string' && val.length < 200) {
acc[key] = val.replace(/[<>]/g, '');
}
return acc;
}, {});
// Example: forward sanitized payload to backend
// fetch('http://spring-backend/endpoint', { method: 'POST', body: JSON.stringify(safeBody) })
res.json({ received: safeBody });
});
app.listen(4000, () => console.log('Secured gateway on port 4000'));
These patterns help ensure that headers and payloads are controlled, reducing the likelihood that an attacker can deliver a Spring4Shell-style payload through the Express layer. Combine these practices with regular scanning using middleBrick to validate that the unauthenticated attack surface remains within acceptable risk levels.