Critical Spring AI and ONNX Vulnerabilities: SQL Injection, JSONPath Flaws, and Model Substitution
In March 2026, critical vulnerabilities were discovered in Spring AI and ONNX Runtime. Spring AI is susceptible to SQL injection when integrated with databases like MariaDB, and JSONPath injection during user data processing. In ONNX, trust verification can be bypassed when loading models via onnx.hub.load, enabling malicious model substitution. These flaws impact real-world AI systems where models interact with user data and infrastructure.
Spring AI Vulnerability Details
Spring AI integrates LLMs and models into Spring applications, including database access. Key issues include:
- SQL Injection: Occurs when database queries are constructed without input sanitization. Attackers can inject malicious code to extract query logs, chat histories, or user profiles.
- JSONPath Injection: Unfiltered user input allows manipulation of data in multi-user scenarios, enabling reading or altering other clients' information.
Risks escalate in shared-data environments—chat systems, content generation, CRM integrations. Affected versions require immediate patching.
ONNX Model Substitution Risks
ONNX provides a cross-framework model format and hub-based loading. A vulnerability allows bypassing trust checks during onnx.hub.load, enabling the deployment of malicious .onnx files.
Consequences depend on the stack:
- Model weight replacement alters logic, causing abnormal behavior.
- Pipelines with converters may enable RCE through handler exploitation.
ONNX models are artifacts akin to containers—loading them from untrusted sources introduces systemic risks.
Where These Frameworks Hide in Infrastructure
Spring AI and ONNX are often deployed without centralized tracking.
Common Spring AI Use Cases:
- Internal assistants for document search and CRM suggestions.
- Prototypes that evolved into production.
- Spring integrations with external LLMs.
ONNX Applications:
- Recommendation and scoring services.
- MLOps pipelines for framework standardization.
- Vendor products with embedded models.
Inventory audits reveal these deployments across ML teams and off-the-shelf solutions.
Risk Mitigation Recommendations
For security and DevOps teams: isolate the AI stack in a dedicated security zone.
- Inventory:
- Compile a list of frameworks, owners, data types, and environments (prod/test).
- Identify risks: database access, multi-user mode.
- Updates & Hardening:
- Patch Spring AI and add injection testing.
- For ONNX: enforce a whitelist of trusted sources; disable auto-loading.
- Processes:
- Implement AI project reviews at CRM/billing levels.
- Align on strategic components (hubs, LLM proxies).
One-Week Action Checklist
Spring AI:
- Scan repositories and dependencies.
- Audit data access and multi-user scenarios.
- Update versions and implement automated SQL/JSONPath tests.
ONNX:
- Locate
onnx.hub.loadand auto-update configurations. - Restrict sources to a whitelist.
- Request vendor patches and validation logs.
General:
- Add AI frameworks to CVE monitoring.
- Assign an AI stack owner.
- Document requirements in DevSecOps workflows.
Key Takeaways
- SQL and JSONPath injections in Spring AI threaten user data exposure in databases and multi-user systems.
- Bypassing trust checks in ONNX enables model substitution, potentially leading to RCE.
- AI frameworks demand inventory and dedicated security segmentation.
- Moving AI projects to production requires full security review.
- Monitoring CVEs for AI stacks should be a distinct role in the team.
— Editorial Team
No comments yet.