Do the parameters of a string passed to the @Query annotation, for Spring, get treated as pure data as they would if, for example, you were using the PreparedStatement class or any method meant to prevent SQL injection?
final String MY_QUERY = "SELECT * FROM some_table WHERE some_column = ?1";
@Query(value=MY_QUERY, nativeQuery = true)
List<SomeEntity> findResults(String potentiallyMaliciousUserInput);
Bottom Line: Is the code above susceptible to SQL injection?
It looks like Spring Data's @Query is just a wrapper around JPA
See this SO answer: Are SQL injection attacks possible in JPA?