skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
March 25, 2020

GHSL-2020-027: Server-Side Template Injection in Netflix Conductor

Alvaro Munoz


A Server-Side Template Injection was identified in Netflix Conductor enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.




Netflix Conductor

Tested Version


Issues found

GHSL-2020-027 Details - Remote Code Execution - JavaEL Injection

It is possible to run arbitrary code on the server (with Conductor service account privileges) by injecting arbitrary Java Expression Language (EL) expressions.

Netflix Conductor uses Java Bean Validation (JSR 380) custom constraint validators such as When building custom constraint violation error messages, it is important to understand that they support different types of interpolation, including Java EL expressions. Therefore if an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, they will be able to run arbitrary Java code. Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.

class TaskTimeoutValidator implements ConstraintValidator<TaskTimeoutConstraint, TaskDef> {
    public void initialize(TaskTimeoutConstraint constraintAnnotation) {
    public boolean isValid(TaskDef taskDef, ConstraintValidatorContext context) {
        boolean valid = true;
        if (taskDef.getTimeoutSeconds() > 0) {
            if (taskDef.getResponseTimeoutSeconds() > taskDef.getTimeoutSeconds()) {
                valid = false;
                String message = String.format("TaskDef: %s responseTimeoutSeconds: %d must be less than timeoutSeconds: %d",
                        taskDef.getName(), taskDef.getResponseTimeoutSeconds(), taskDef.getTimeoutSeconds());
        return valid;

We found multiple paths flowing into ConstraintValidatorContext.buildConstraintViolationWithTemplate(0).


This issue may lead to Remote Code execution


There are different approaches to remediate the issue:

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy

Supporting resources


This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz). We would like to thank Guillaume Smet from the Hibernate Validator team for help with the remediation advice.


You can contact the GHSL team at, please include the GHSL-YEAR-ID in any communication regarding this issue.