Affected versions of this package are vulnerable to Improper Input Validation. A bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
The bug seems to be in the parser’s grammar - $ or # followed by a character that is not {, $ or # will be treated as a literal expression. The pertinent case is when the character following the $ or # chars is a backslash. The parser will then consume the backslash as part of the literal expression and will leave the character that follows it unescaped.
Note:org.glassfish:javax.el is deprecated, users can move to use org.glassfish:jakarta.el instead where this issue is first fixed in version 3.0.4.
Remediation
There is no fixed version for org.glassfish:javax.el.