CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 10 min read

CVE-2022-22965 Explained: Spring4Shell, the Spring Framework RCE Vulnerability

A CVSS 9.8 remote code execution vulnerability in Spring Framework affecting applications running on JDK 9 and later. Feared as the next Log4Shell, here is what it actually does and how to fix it.

9.8
CVSS Score
JDK 9+
Trigger Condition
1M+
Estimated Spring Users
2
Affected Branch Lines

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2022-22965, named Spring4Shell by the security community, is a critical remote code execution vulnerability in the Spring Framework's data binding functionality. Disclosed on March 31, 2022, it scores 9.8 on the CVSS v3 scale and affects Spring Framework 5.3.x before 5.3.18 and 5.2.x before 5.2.20 when deployed on JDK 9 or later.

The vulnerability was immediately compared to Log4Shell due to Spring Framework's ubiquity in enterprise Java development. Spring is used by an estimated one million developers and is deployed in applications across financial services, government, healthcare, and technology sectors. While Spring4Shell proved less catastrophic than Log4Shell in practice due to its exploitation prerequisites, it remains a critical vulnerability with active exploitation observed in the wild.

How Spring4Shell Works: ClassLoader Manipulation via Data Binding

Spring Framework's data binding feature maps HTTP request parameters to Java object properties using reflection. This includes not just simple properties but also nested properties accessible through getter chains. An attacker can supply HTTP parameters using Spring's dot-notation to traverse object property paths, including paths that reach sensitive Java runtime objects.

The specific exploitation path in CVE-2022-22965 chains through the Java ClassLoader. By supplying parameters like class.module.classLoader.resources.context.parent.pipeline.first.*, an attacker can access and modify properties of the Tomcat log handler, including the log file path, prefix, suffix, and the log pattern. By manipulating these properties, the attacker redirects Tomcat's access log to write to a JSP file in the web application's publicly accessible root directory.

Once the log file is redirected, the attacker sends a request containing JSP code in a header or parameter, which gets written into the log file (now a .jsp file). The JSP file is then requested directly, executing the embedded code as a web shell with the privileges of the Tomcat process.

This exploitation chain requires JDK 9 or later because the module system introduced in Java 9 changed ClassLoader accessibility. Spring's disallowed field list was also updated from earlier versions. Applications running on JDK 8 are not vulnerable via this specific chain.

1

Identify Spring MVC application

Identify target web applications built on Spring Framework with multipart request handling. Applications exposing endpoints that accept HTTP parameters bound to POJOs with Spring MVC are candidates.

2

Traverse ClassLoader via binding

Send an HTTP POST with parameters using dot-notation traversal such as class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat to reach Tomcat's log configuration objects.

3

Redirect Tomcat log output

Modify the Tomcat AccessLogValve properties to change the log file directory to the web root and the file suffix to .jsp, effectively pointing the access log at a new JSP file.

4

Write web shell

Send a request with JSP code (e.g., Runtime.exec() wrapping) in a header that gets written to the redirected log file, creating a functional web shell in the application's web root.

5

Execute shell

Request the newly created JSP file directly via HTTP. The Tomcat servlet container executes the embedded JSP code, providing persistent RCE as the application server process user.

Spring4Shell vs. Log4Shell: Why the Impact Differed

When Spring4Shell dropped, the security industry feared a repeat of Log4Shell, a critical RCE in a foundational Java library with a trivial exploit and universal exposure. The actual impact was more contained, for structural reasons.

Log4Shell's exploit was a single malicious string that could be passed in virtually any user-controlled input field, with no contextual requirements beyond Log4j being present. Spring4Shell's exploitation chain has meaningful prerequisites: JDK 9 or later, deployment on Apache Tomcat as a WAR file, and Spring MVC with the standard data binding configuration.

Applications packaged as JAR files with the embedded Tomcat in Spring Boot's default configuration are not vulnerable via the main exploitation chain, because they do not use the separate Tomcat log file mechanism that the ClassLoader traversal targets. This excluded a large portion of modern Spring Boot applications from the most severe attack scenario.

Nonetheless, exploitation in the wild was confirmed rapidly. Threat actors including ransomware groups were observed scanning for and exploiting CVE-2022-22965 within days of public disclosure. Variants of the exploit targeting different ClassLoader paths and different deployment configurations were identified in subsequent weeks.

Spring4Shell is a serious vulnerability. While its exploitation prerequisites narrow the affected population compared to Log4Shell, any Spring MVC application on JDK 9+ deployed as a WAR on Tomcat should be treated as vulnerable until patched.

VMware Tanzu Spring Security Advisory, March 2022
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Mitigating CVE-2022-22965

VMware and the Spring team released patches on March 31, 2022. The following steps address CVE-2022-22965 completely and provide defense-in-depth for environments where immediate patching is constrained.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Spring4Shell demonstrated that the security community learned important lessons from Log4Shell about rapid response to critical framework vulnerabilities, but also that exploitation sophistication and speed continue to accelerate. Proof-of-concept code was available within hours of disclosure, and active exploitation began within days.

The prerequisite conditions that limited Spring4Shell's blast radius compared to Log4Shell are real but not permanent. Researchers identified multiple alternative exploitation chains targeting different ClassLoader paths and different deployment configurations in the weeks following initial disclosure.

The only durable response is patching. Organizations running Spring Framework on JDK 9+ should treat any unpatched deployment as actively exploitable, audit their Java application portfolios for affected versions, and establish processes to discover Spring Framework versions embedded in application dependencies, including those bundled inside WAR files and Docker images.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is Spring4Shell (CVE-2022-22965)?

Spring4Shell is a CVSS 9.8 RCE in the Spring Framework data binding component. An attacker sends HTTP parameters using dot-notation to traverse the Java ClassLoader, modifies Tomcat's access log configuration to redirect logging to a JSP file in the web root, then writes malicious JSP code to that file and executes it. Requires JDK 9+, Spring MVC, and WAR deployment on Tomcat.

Is Spring Boot vulnerable to Spring4Shell?

Spring Boot applications packaged as executable JARs with embedded Tomcat are NOT vulnerable via the main exploit chain. The attack requires WAR-file deployment to a standalone Tomcat instance. However, Spring Boot applications deployed as WARs to external Tomcat servers are affected.

How do I fix CVE-2022-22965?

Upgrade Spring Framework to 5.3.18 or 5.2.20 (or later). For Spring Boot, upgrade to 2.6.6 or 2.5.12. As an immediate workaround, add setDisallowedFields to DataBinder configurations blocking 'class.*' parameter patterns.

Is Spring4Shell as severe as Log4Shell?

Spring4Shell has a CVSS score of 9.8, equal to Log4Shell, but its real-world blast radius was smaller due to multiple exploitation prerequisites. Log4Shell affected any application logging user-controlled strings, covering virtually all Java applications. Spring4Shell requires Spring MVC, JDK 9 or later, and WAR-file deployment to a standalone Tomcat server. Spring Boot fat JARs with embedded Tomcat, the default for modern Spring Boot applications, are not vulnerable via the main exploitation chain. This narrowed the affected population significantly compared to Log4Shell.

Which Spring applications are NOT vulnerable to CVE-2022-22965?

Spring Boot applications packaged as executable JAR files with embedded Tomcat are not vulnerable via the primary ClassLoader traversal exploit chain because they use the embedded Tomcat server rather than a standalone Tomcat with the external log directory accessible to the exploit. Applications running on JDK 8 are also not vulnerable via this specific chain. Spring applications not using Spring MVC or Reactive Web, or those not using standard MVC data binding, are not affected. The vulnerable configuration is specifically: Spring MVC + JDK 9+ + WAR deployment on external Tomcat.

How do I check if my Spring application is vulnerable to Spring4Shell?

Check three conditions: (1) JDK version: java -version, if JDK 8 or lower you are not vulnerable via the main chain. (2) Spring Framework version: check your pom.xml or build.gradle for spring-webmvc or spring-web version, must be 5.3.x before 5.3.18 or 5.2.x before 5.2.20 to be vulnerable. (3) Deployment model: check if your application runs as an executable JAR (not vulnerable via the main chain) or as a WAR deployed to external Tomcat (potentially vulnerable). All three conditions must be true for the primary ClassLoader exploitation path.

Sources & references

  1. NVD
  2. Spring Security Advisory
  3. VMware Tanzu Advisory

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.