A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized. Affected Spring Data MongoDB versions are 3.4.0, 3.3.0 to 3.3.4 and older unsupported once.
