Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
OmniFaces: Using a Bad CDN Mapping Can Let Attackers Run Code
GHSA-vp6r-9m58-5xv8
Summary
If your application uses OmniFaces' CDNResourceHandler with a wildcard mapping, an attacker can craft a request that lets them run malicious code or access sensitive information. To fix this, update to the latest version of OmniFaces or replace wildcard mappings with explicit URLs for each resource. This is a serious issue, so it's best to take action as soon as possible.
What to do
- Update omnifaces org.omnifaces:omnifaces to version 1.14.2.
- Update omnifaces org.omnifaces:omnifaces to version 2.7.32.
- Update omnifaces org.omnifaces:omnifaces to version 3.14.16.
- Update omnifaces org.omnifaces:omnifaces to version 4.7.5.
- Update omnifaces org.omnifaces:omnifaces to version 5.2.3.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| maven | omnifaces | org.omnifaces:omnifaces |
< 1.14.2 >= 2.0-RC1, < 2.7.32 >= 3.0-RC1, < 3.14.16 >= 4.0-M1, < 4.7.5 >= 5.0-M1, < 5.2.2 Fix: upgrade to 1.14.2
|
Original title
OmniFaces: EL injection via crafted resource name in wildcard CDN mapping
Original description
### Impact
Server-side EL injection leading to Remote Code Execution (RCE). Affects applications that use `CDNResourceHandler` with a wildcard CDN mapping (e.g. `libraryName:*=https://cdn.example.com/*`). An attacker can craft a resource request
URL containing an EL expression in the resource name, which is evaluated server-side.
The severity depends on the EL implementation and the objects available in the EL context. In the worst case this leads to Remote Code Execution (RCE). At minimum it allows information disclosure and denial of service.
Applications using `CDNResourceHandler` without wildcard mappings (i.e. only explicit resource-to-URL mappings) are **not** affected.
### Patches
Fixed in versions 5.2.3, 4.7.5, 3.14.16, 2.7.32, and 1.14.2. Users should upgrade to the appropriate version for their branch.
### Workarounds
Replace wildcard CDN mappings with explicit resource-to-URL mappings. For example, replace:
```
libraryName:*=https://cdn.example.com/*
```
with individual entries:
```
libraryName:resource1.js=https://cdn.example.com/resource1.js,
libraryName:resource2.js=https://cdn.example.com/resource2.js
```
Server-side EL injection leading to Remote Code Execution (RCE). Affects applications that use `CDNResourceHandler` with a wildcard CDN mapping (e.g. `libraryName:*=https://cdn.example.com/*`). An attacker can craft a resource request
URL containing an EL expression in the resource name, which is evaluated server-side.
The severity depends on the EL implementation and the objects available in the EL context. In the worst case this leads to Remote Code Execution (RCE). At minimum it allows information disclosure and denial of service.
Applications using `CDNResourceHandler` without wildcard mappings (i.e. only explicit resource-to-URL mappings) are **not** affected.
### Patches
Fixed in versions 5.2.3, 4.7.5, 3.14.16, 2.7.32, and 1.14.2. Users should upgrade to the appropriate version for their branch.
### Workarounds
Replace wildcard CDN mappings with explicit resource-to-URL mappings. For example, replace:
```
libraryName:*=https://cdn.example.com/*
```
with individual entries:
```
libraryName:resource1.js=https://cdn.example.com/resource1.js,
libraryName:resource2.js=https://cdn.example.com/resource2.js
```
ghsa CVSS3.1
8.1
Vulnerability type
CWE-917
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026