CVE-2024-40489
Received Received - Intake
Code Injection in Jeecg Boot 3.0.0-3.5.3 Enables Remote Execution

Publication date: 2026-04-01

Last updated on: 2026-04-06

Assigner: MITRE

Description
There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2024-40489
EUVD
EUVD-2024-55519
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jeecg jeecg_boot From 3.0 (inc) to 3.5.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to execute arbitrary code remotely, which can lead to unauthorized access, data breaches, and potential manipulation or theft of sensitive information.

Such security breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure system integrity.

Therefore, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of data, leading to violations of these regulatory requirements.

Executive Summary

CVE-2024-40489 is a Server-Side Template Injection (SSTI) vulnerability in the JeecgBoot JimuReport component, affecting versions 3.0.0 to 3.5.3.

This vulnerability exists due to lax character filtering at the /jeecg-boot/jmreport/dictCodeSearch endpoint, which allows attackers to inject malicious FreeMarker templates.

By exploiting this flaw, attackers can execute arbitrary code remotely on the affected system.

Impact Analysis

This vulnerability can have severe impacts as it allows remote attackers to execute arbitrary code on the affected system.

Such remote code execution can lead to unauthorized access, data theft, system compromise, and potentially full control over the affected server.

Detection Guidance

This vulnerability can be detected by testing the /jeecg-boot/jmreport/dictCodeSearch endpoint for Server-Side Template Injection (SSTI) attempts. Specifically, sending specially crafted HTTP requests containing FreeMarker template payloads to this endpoint may reveal if the system is vulnerable.

A common approach is to use curl or similar HTTP clients to send test payloads and observe the response for signs of code execution or error messages indicative of template injection.

  • Example command to test the endpoint using curl: curl -X POST 'http://<target>/jeecg-boot/jmreport/dictCodeSearch' -d 'param=${7*7}'

If the response contains the result of the expression (e.g., 49), it indicates the presence of SSTI vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint /jeecg-boot/jmreport/dictCodeSearch to trusted users only.

Additionally, applying input validation and sanitization to filter out malicious FreeMarker template syntax in HTTP requests can help prevent exploitation.

Upgrading JeecgBoot to a version later than 3.5.3 where this vulnerability is fixed is the most effective long-term mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-40489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart