A critical CVE entry found last year by Pivotal has been recently published (cve-2017-8046), and its main maintainer has posted a blog entry to clarify the situation. The vulnerability affects Spring Data REST library (and any other library that depends on it) and allows arbitrary remote code execution in PATCH method when using JSONPatch format (jsonpatch.com).
Zero-Day Protection for Hdiv customers
Hdiv Protection (RASP) protects any application running Spring Data REST without requiring any version update. Hdiv’s protection component keeps track of the expected and valid values for each incoming request, and prevents most of Zero-Day flaws by ensuring the contract between the server and the client.