The vulnerability in Spring Data MongoDB affects repository query methods annotated with @Query that utilize regex parameter binding. Due to insufficient validation of the bound regex parameter, an attacker can craft a string that escapes the intended quoting mechanism, potentially altering the query logic. This improper neutralization of special elements in data query logic can lead to unintended query behavior. The affected versions span multiple releases from 3.4.0 through 5.0.5 across several minor versions. The CVSS v3.1 base score is 5.9, indicating a medium severity with network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. No official patch or remediation level is provided in the available data, and no known exploits in the wild have been reported.

Successful exploitation of this vulnerability could allow an attacker to manipulate the query logic in Spring Data MongoDB repository methods that use regex parameter binding. This can lead to unauthorized disclosure of sensitive data due to the high confidentiality impact. There is no impact on integrity or availability according to the CVSS vector. The attack requires network access and has high complexity, with no privileges or user interaction needed.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using regex parameter binding in @Query annotated repository methods or implement additional input validation to ensure that regex parameters cannot break out of the intended quoting. Monitor official Spring project advisories for updates on patches or workarounds.