Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2022-22965

Spring4Shell — Spring Framework Remote Code Execution

A remote-code-execution vulnerability in the Spring Framework, stewarded by VMware, allows an attacker to achieve RCE via data binding under specific conditions — JDK 9+, Spring Framework versions before 5.3.18 / 5.2.20, and deployment as a traditional WAR on Apache Tomcat.

cat cve-2022-22965.json
Vendor
VMware
Product
Spring Framework
CVSS
9.8
Status
kev
Published

CVE-2022-22965, quickly dubbed “Spring4Shell” for its proximity in name and disclosure timing to Log4Shell, is a remote-code-execution vulnerability in the Spring Framework, the widely used Java application framework stewarded by VMware. Disclosed March 31, 2022 after proof-of-concept exploit details leaked publicly ahead of an official patch, the flaw allows a remote attacker to manipulate the Spring data-binding process to reach the underlying ClassLoader and ultimately write a malicious file to a web-accessible path, achieving code execution — under a specific but not uncommon combination of conditions: JDK 9 or later, Spring MVC or Spring WebFlux, and deployment as a traditional WAR file on Apache Tomcat.

Why it mattered

Spring underpins a huge share of enterprise Java web applications, and the narrower (but still widespread) set of vulnerable deployment conditions meant security teams had to triage carefully rather than assume blanket exposure — a harder task than Log4Shell’s near-universal applicability, and one that led to real confusion in the first 48 hours about which applications were actually at risk. VMware shipped patches the same day details leaked, and CISA added the CVE to its KEV catalog shortly after confirmed in-the-wild exploitation.

Because the vulnerable conditions were specific, VMware’s advisory doubled as risk-triage guidance: organizations not running the exact vulnerable combination were not at risk from this specific CVE, though the framework-level patch was recommended regardless. Full technical detail and the complete list of vulnerable configurations are in VMware’s/Spring’s security advisory and at the NVD link above.