Expression Injection Vulnerability in Mendix Applications

Monitor6.5SSA-492173Jul 12, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

An expression injection vulnerability exists in the Workflow processing of Mendix Runtime that allows a malicious user to leak sensitive information if the Workflow visual language is used. Affected versions include Mendix 9 (>= V9.11 < V9.15) and Mendix 9.12 (< V9.12.3). Siemens has released updates and recommends upgrading to the latest versions and redeploying applications.

What this means

What could happen

An attacker with valid application access could inject expressions into Mendix Workflow logic to extract sensitive data from your application memory or backend systems. This could expose database credentials, user information, or other confidential data depending on what your application stores.

Who's at risk

Organizations running Mendix applications for business logic, reporting, or workflow automation should prioritize this update. This includes line-of-business applications, asset management systems, and any Mendix-based tools handling sensitive data or credentials. Developers using the Mendix Workflow feature for process automation are most directly affected.

How it could be exploited

An attacker with legitimate user or developer access to a Mendix application using the Workflow visual language could craft malicious expression payloads in workflow inputs or configurations. These injected expressions are processed by the Mendix Runtime without proper sanitization, allowing the attacker to execute arbitrary code and access sensitive data stored in the application context or connected systems.

Prerequisites

Valid user account on the Mendix application
Application must use Mendix Workflow visual language feature
Attacker must have input capability to workflow parameters or expressions

Remotely exploitableRequires valid user credentialsLow complexity exploitationAffects data confidentiality only (no code execution or availability impact)Actively used in enterprise development platforms

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Mendix Applications using Mendix 9≥ V9.11 < V9.159.15

Mendix Applications using Mendix 9 (V9.12)< V9.12.39.12.3

Remediation & Mitigation

0/4

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix Runtime to version 9.15 or later for Mendix 9 applications

HOTFIXUpdate Mendix Runtime to version 9.12.3 or later for Mendix 9.12 applications if unable to upgrade to 9.15

HOTFIXRedeploy all Mendix applications after updating the runtime to apply the fix

Long-term hardening

0/1

HARDENINGReview and restrict user permissions for workflow creation and modification to trusted developers only

CVEs (1)

CVE-2022-34466

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/51d19a05-1ee9-4e6b-b772-d582150761b0