Introduction
Spring Cloud Data Flow (SCDF) is a micro-service-based platform for building stream and batch data pipelines on Cloud Foundry and Kubernetes. A critical arbitrary file-write flaw exists in the Skipper server component that handles package-upload requests. Insufficient sanitization of the upload path allows an attacker to craft a malicious request and write arbitrary files anywhere on the server’s file system, ultimately leading to full system compromise.

What Is Spring Cloud Data Flow?
SCDF is a comprehensive toolkit for designing and orchestrating data pipelines in micro-service architectures. As part of the Spring ecosystem, it enables real-time and batch data processing, covering ETL jobs, stream processing, and event-driven workflows.

Lab Environment Setup
Affected versions: 2.11.x and 2.10.x. We use 2.11.0 for analysis.

1. In spring-cloud-dataflow-2.11.0/src/docker-compose, locate docker-compose.yml.
2. Add the following under the skipper-server environment section for remote debugging:JAVA_TOOL_OPTIONS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005
3. Deploy the environment:sudo docker-compose up -d
4. Access the dashboard (default port 9393) and the Skipper Server API.

Analysis
The flaw resides in PackageService.java, path:spring-cloud-dataflow-2.11.0/spring-cloud-skipper/spring-cloud-skipper-server-core/src/main/java/.../service/PackageService.java

Static Analysis

1. Search usages of the upload(UploadRequest) method:
   • Found 5 references in the codebase, all under spring-cloud-skipper-server-core.
   • Key controller entry point:复制@RequestMapping(path = "/upload", method = RequestMethod.POST) @ResponseStatus(HttpStatus.CREATED) public EntityModel<PackageMetadata> upload(@RequestBody UploadRequest uploadRequest) { return this.packageMetadataResourceAssembler.toModel( this.packageService.upload(uploadRequest)); }
2. Endpoint: /api/package/upload via POST.
3. Root cause: PackageService.upload concatenates the user-supplied package name and version into the file path without validating or neutralizing directory-traversal sequences (../).

Dynamic Debugging

• Attach a remote debugger on port 5005.
• Send a crafted UploadRequest with a malicious filename such as:../../../etc/cron.d/evil
• Observe the file being written outside the intended upload directory.

Impact

• Remote code execution via writable cron jobs, systemd units, or web-app resources.
• Complete server takeover and lateral movement within the Kubernetes/CF cluster.

Mitigation

1. Upgrade to SCDF 2.11.1+ or 2.10.4+, which contain the fix (proper path normalization).
2. Network segmentation: Restrict access to /api/package/upload to trusted IPs.
3. Runtime hardening: Enforce strict file-system permissions inside the Skipper container.

WebSecurity

SpringVulnerability

VulnAnalysis

SpringRCE

ArbitraryFileWrite

Disclaimer

1. General Disclaimer: The technical information provided herein is for reference only and does not constitute professional advice. Readers must comply with the Cyber Security Law of the People’s Republic of China and are solely responsible for any use of this information. Neither the author nor the publishing platform shall be liable for any direct or indirect damages arising from its use.
2. Applicability Statement: The techniques described may not suit all environments. Thorough testing and evaluation are required before production deployment; improper use is at your own risk.
3. Update Statement: Technology evolves rapidly; the article may become outdated. Readers should verify timeliness; neither the author nor the platform is responsible for consequences resulting from obsolete content.