CVE-2022-22965 Explained: Spring4Shell, the Spring Framework RCE Vulnerability
A CVSS 9.8 remote code execution vulnerability in Spring Framework affecting applications running on JDK 9 and later. Feared as the next Log4Shell, here is what it actually does and how to fix it.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2022-22965, named Spring4Shell by the security community, is a critical remote code execution vulnerability in the Spring Framework's data binding functionality. Disclosed on March 31, 2022, it scores 9.8 on the CVSS v3 scale and affects Spring Framework 5.3.x before 5.3.18 and 5.2.x before 5.2.20 when deployed on JDK 9 or later.
The vulnerability was immediately compared to Log4Shell due to Spring Framework's ubiquity in enterprise Java development. Spring is used by an estimated one million developers and is deployed in applications across financial services, government, healthcare, and technology sectors. While Spring4Shell proved less catastrophic than Log4Shell in practice due to its exploitation prerequisites, it remains a critical vulnerability with active exploitation observed in the wild.
How Spring4Shell Works: ClassLoader Manipulation via Data Binding
Spring Framework's data binding feature maps HTTP request parameters to Java object properties using reflection. This includes not just simple properties but also nested properties accessible through getter chains. An attacker can supply HTTP parameters using Spring's dot-notation to traverse object property paths, including paths that reach sensitive Java runtime objects.
The specific exploitation path in CVE-2022-22965 chains through the Java ClassLoader. By supplying parameters like class.module.classLoader.resources.context.parent.pipeline.first.*, an attacker can access and modify properties of the Tomcat log handler, including the log file path, prefix, suffix, and the log pattern. By manipulating these properties, the attacker redirects Tomcat's access log to write to a JSP file in the web application's publicly accessible root directory.
Once the log file is redirected, the attacker sends a request containing JSP code in a header or parameter, which gets written into the log file (now a .jsp file). The JSP file is then requested directly, executing the embedded code as a web shell with the privileges of the Tomcat process.
This exploitation chain requires JDK 9 or later because the module system introduced in Java 9 changed ClassLoader accessibility. Spring's disallowed field list was also updated from earlier versions. Applications running on JDK 8 are not vulnerable via this specific chain.
Identify Spring MVC application
Identify target web applications built on Spring Framework with multipart request handling. Applications exposing endpoints that accept HTTP parameters bound to POJOs with Spring MVC are candidates.
Traverse ClassLoader via binding
Send an HTTP POST with parameters using dot-notation traversal such as class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat to reach Tomcat's log configuration objects.
Redirect Tomcat log output
Modify the Tomcat AccessLogValve properties to change the log file directory to the web root and the file suffix to .jsp, effectively pointing the access log at a new JSP file.
Write web shell
Send a request with JSP code (e.g., Runtime.exec() wrapping) in a header that gets written to the redirected log file, creating a functional web shell in the application's web root.
Execute shell
Request the newly created JSP file directly via HTTP. The Tomcat servlet container executes the embedded JSP code, providing persistent RCE as the application server process user.
Spring4Shell vs. Log4Shell: Why the Impact Differed
When Spring4Shell dropped, the security industry feared a repeat of Log4Shell, a critical RCE in a foundational Java library with a trivial exploit and universal exposure. The actual impact was more contained, for structural reasons.
Log4Shell's exploit was a single malicious string that could be passed in virtually any user-controlled input field, with no contextual requirements beyond Log4j being present. Spring4Shell's exploitation chain has meaningful prerequisites: JDK 9 or later, deployment on Apache Tomcat as a WAR file, and Spring MVC with the standard data binding configuration.
Applications packaged as JAR files with the embedded Tomcat in Spring Boot's default configuration are not vulnerable via the main exploitation chain, because they do not use the separate Tomcat log file mechanism that the ClassLoader traversal targets. This excluded a large portion of modern Spring Boot applications from the most severe attack scenario.
Nonetheless, exploitation in the wild was confirmed rapidly. Threat actors including ransomware groups were observed scanning for and exploiting CVE-2022-22965 within days of public disclosure. Variants of the exploit targeting different ClassLoader paths and different deployment configurations were identified in subsequent weeks.
“Spring4Shell is a serious vulnerability. While its exploitation prerequisites narrow the affected population compared to Log4Shell, any Spring MVC application on JDK 9+ deployed as a WAR on Tomcat should be treated as vulnerable until patched.”
VMware Tanzu Spring Security Advisory, March 2022
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Patching and Mitigating CVE-2022-22965
VMware and the Spring team released patches on March 31, 2022. The following steps address CVE-2022-22965 completely and provide defense-in-depth for environments where immediate patching is constrained.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
Spring4Shell demonstrated that the security community learned important lessons from Log4Shell about rapid response to critical framework vulnerabilities, but also that exploitation sophistication and speed continue to accelerate. Proof-of-concept code was available within hours of disclosure, and active exploitation began within days.
The prerequisite conditions that limited Spring4Shell's blast radius compared to Log4Shell are real but not permanent. Researchers identified multiple alternative exploitation chains targeting different ClassLoader paths and different deployment configurations in the weeks following initial disclosure.
The only durable response is patching. Organizations running Spring Framework on JDK 9+ should treat any unpatched deployment as actively exploitable, audit their Java application portfolios for affected versions, and establish processes to discover Spring Framework versions embedded in application dependencies, including those bundled inside WAR files and Docker images.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is Spring4Shell (CVE-2022-22965)?
Spring4Shell is a CVSS 9.8 RCE in the Spring Framework data binding component. An attacker sends HTTP parameters using dot-notation to traverse the Java ClassLoader, modifies Tomcat's access log configuration to redirect logging to a JSP file in the web root, then writes malicious JSP code to that file and executes it. Requires JDK 9+, Spring MVC, and WAR deployment on Tomcat.
Is Spring Boot vulnerable to Spring4Shell?
Spring Boot applications packaged as executable JARs with embedded Tomcat are NOT vulnerable via the main exploit chain. The attack requires WAR-file deployment to a standalone Tomcat instance. However, Spring Boot applications deployed as WARs to external Tomcat servers are affected.
How do I fix CVE-2022-22965?
Upgrade Spring Framework to 5.3.18 or 5.2.20 (or later). For Spring Boot, upgrade to 2.6.6 or 2.5.12. As an immediate workaround, add setDisallowedFields to DataBinder configurations blocking 'class.*' parameter patterns.
Is Spring4Shell as severe as Log4Shell?
Spring4Shell has a CVSS score of 9.8, equal to Log4Shell, but its real-world blast radius was smaller due to multiple exploitation prerequisites. Log4Shell affected any application logging user-controlled strings, covering virtually all Java applications. Spring4Shell requires Spring MVC, JDK 9 or later, and WAR-file deployment to a standalone Tomcat server. Spring Boot fat JARs with embedded Tomcat, the default for modern Spring Boot applications, are not vulnerable via the main exploitation chain. This narrowed the affected population significantly compared to Log4Shell.
Which Spring applications are NOT vulnerable to CVE-2022-22965?
Spring Boot applications packaged as executable JAR files with embedded Tomcat are not vulnerable via the primary ClassLoader traversal exploit chain because they use the embedded Tomcat server rather than a standalone Tomcat with the external log directory accessible to the exploit. Applications running on JDK 8 are also not vulnerable via this specific chain. Spring applications not using Spring MVC or Reactive Web, or those not using standard MVC data binding, are not affected. The vulnerable configuration is specifically: Spring MVC + JDK 9+ + WAR deployment on external Tomcat.
How do I check if my Spring application is vulnerable to Spring4Shell?
Check three conditions: (1) JDK version: java -version, if JDK 8 or lower you are not vulnerable via the main chain. (2) Spring Framework version: check your pom.xml or build.gradle for spring-webmvc or spring-web version, must be 5.3.x before 5.3.18 or 5.2.x before 5.2.20 to be vulnerable. (3) Deployment model: check if your application runs as an executable JAR (not vulnerable via the main chain) or as a WAR deployed to external Tomcat (potentially vulnerable). All three conditions must be true for the primary ClassLoader exploitation path.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
