A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CVE-2022-22965
Score elevated to 9.8 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2022-04-04), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 9.8 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
A fix is available — apply it.
- CVSS v3
- 9.8
- EG Score
- 9.8(high)
- EPSS
- 99.9%
- KEV
- ⚠ Exploited
Published
April 1, 2022
Last Modified
October 30, 2025
Advisory Details (5)
Auto-updated Jun 1, 2026Packet Storm
http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.htmlVulnerability in Spring Framework Affecting Cisco Products: March 2022
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
https://tanzu.vmware.com/security/cve-2022-22965Patch Availability(5)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | libspring-web-servlet-java (4.3.30-2ubuntu0.24.10.1) @ oracular | 2026-07-11 | ubuntu |
| redhat | spring-webmvc | 2022-04-27 | redhat |
| redhat | patch | 2022-04-27 | redhat |
| redhat | spring-beans | 2022-04-12 | redhat |
| redhat | patch | 2022-04-11 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(5 across 1 ecosystem)
Maven(5)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.springframework.boot:spring-boot-starter-web | 2.6.0 ... 2.6.5 (6 versions) | 2.6.6 | — |
| org.springframework.boot:spring-boot-starter-webflux | 2.6.0 ... 2.6.5 (6 versions) | 2.6.6 | — |
| org.springframework:spring-beans | 5.3.0 ... 5.3.9 (18 versions) | 5.3.18 | — |
| org.springframework:spring-webflux | 5.3.0 ... 5.3.9 (18 versions) | 5.3.18 | — |
| org.springframework:spring-webmvc | 5.3.0 ... 5.3.9 (18 versions) | 5.3.18 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
All Vendor Advisories
(8)
Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.
- Red HatRHSA-2022:1306IMPORTANT2022-03-30
RHSA-2022:1306 — Important
- Red HatRHSA-2022:1333IMPORTANT2022-03-30
RHSA-2022:1333 — Important
- Red HatRHSA-2022:1360IMPORTANT2022-03-30
RHSA-2022:1360 — Important
- Red HatRHSA-2022:1378IMPORTANT2022-03-30
RHSA-2022:1378 — Important
- Red HatRHSA-2022:1379IMPORTANT2022-03-30
RHSA-2022:1379 — Important
- Red HatRHSA-2022:1626IMPORTANT2022-03-30
RHSA-2022:1626 — Important
- Red HatRHSA-2022:1627IMPORTANT2022-03-30
RHSA-2022:1627 — Important
- UbuntuUSN-7165-1HIGH
Spring Framework vulnerability
Data Freshness Timeline
(refreshed 0× in last 7d / 0× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 22:28 UTCEG score recompute
- 2026-07-11 22:28 UTCVendor advisory
- 2026-07-11 18:50 UTCEG score recompute
- 2026-07-11 18:50 UTCVendor advisory
- 2026-07-11 15:11 UTCEG score recompute
- 2026-07-11 15:11 UTCVendor advisory
- 2026-07-11 11:32 UTCEG score recompute
- 2026-07-11 11:32 UTCVendor advisory
- 2026-07-11 07:52 UTCEG score recompute
- 2026-07-11 07:52 UTCVendor advisory
- 2026-07-11 04:14 UTCEG score recompute
- 2026-07-11 04:14 UTCVendor advisory
- 2026-07-11 00:35 UTCEG score recompute
- 2026-07-11 00:35 UTCVendor advisory
- 2026-07-10 20:57 UTCEG score recompute
- 2026-07-10 20:57 UTCVendor advisory
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 17:18 UTCEG score recompute
- 2026-07-10 17:18 UTCVendor advisory
- 2026-07-10 13:40 UTCEG score recompute
- 2026-07-10 13:40 UTCVendor advisory
- 2026-07-10 09:59 UTCEG score recompute
- 2026-07-10 09:59 UTCVendor advisory
- 2026-07-10 06:20 UTCEG score recompute
- 2026-07-10 06:20 UTCVendor advisory
Show 75 moreShow fewer
- 2026-07-10 02:42 UTCEG score recompute
- 2026-07-10 02:42 UTCVendor advisory
- 2026-07-09 23:03 UTCEG score recompute
- 2026-07-09 23:03 UTCVendor advisory
- 2026-07-09 19:24 UTCEG score recompute
- 2026-07-09 19:24 UTCVendor advisory
- 2026-07-09 15:45 UTCEG score recompute
- 2026-07-09 15:45 UTCVendor advisory
- 2026-07-09 12:06 UTCEG score recompute
- 2026-07-09 12:06 UTCVendor advisory
- 2026-07-09 08:28 UTCEG score recompute
- 2026-07-09 08:28 UTCVendor advisory
- 2026-07-09 04:48 UTCEG score recompute
- 2026-07-09 04:48 UTCVendor advisory
- 2026-07-09 01:10 UTCEG score recompute
- 2026-07-09 01:10 UTCVendor advisory
- 2026-07-08 21:31 UTCEG score recompute
- 2026-07-08 21:31 UTCVendor advisory
- 2026-07-08 17:53 UTCEG score recompute
- 2026-07-08 17:53 UTCVendor advisory
- 2026-07-08 15:12 UTCEPSS rescore
- 2026-07-08 14:14 UTCEG score recompute
- 2026-07-08 14:14 UTCVendor advisory
- 2026-07-08 10:36 UTCEG score recompute
- 2026-07-08 10:36 UTCVendor advisory
- 2026-07-08 06:58 UTCEG score recompute
- 2026-07-08 06:58 UTCVendor advisory
- 2026-07-08 03:18 UTCEG score recompute
- 2026-07-08 03:18 UTCVendor advisory
- 2026-07-07 23:39 UTCEG score recompute
- 2026-07-07 23:39 UTCVendor advisory
- 2026-07-07 20:00 UTCEG score recompute
- 2026-07-07 20:00 UTCVendor advisory
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 16:21 UTCEG score recompute
- 2026-07-07 16:21 UTCVendor advisory
- 2026-07-07 12:42 UTCEG score recompute
- 2026-07-07 12:42 UTCVendor advisory
- 2026-07-07 09:03 UTCEG score recompute
- 2026-07-07 09:03 UTCVendor advisory
- 2026-07-07 05:24 UTCEG score recompute
- 2026-07-07 05:24 UTCVendor advisory
- 2026-07-07 01:45 UTCEG score recompute
- 2026-07-07 01:45 UTCVendor advisory
- 2026-07-06 22:06 UTCEG score recompute
- 2026-07-06 22:06 UTCVendor advisory
- 2026-07-06 18:26 UTCEG score recompute
- 2026-07-06 18:26 UTCVendor advisory
- 2026-07-06 14:46 UTCEG score recompute
- 2026-07-06 14:46 UTCVendor advisory
- 2026-07-06 11:07 UTCEG score recompute
- 2026-07-06 11:07 UTCVendor advisory
- 2026-07-06 07:27 UTCEG score recompute
- 2026-07-06 07:27 UTCVendor advisory
- 2026-07-06 03:48 UTCEG score recompute
- 2026-07-06 03:48 UTCVendor advisory
- 2026-07-06 00:08 UTCEG score recompute
- 2026-07-06 00:08 UTCVendor advisory
- 2026-07-05 20:29 UTCEG score recompute
- 2026-07-05 20:29 UTCVendor advisory
- 2026-07-05 16:50 UTCEG score recompute
- 2026-07-05 16:50 UTCVendor advisory
- 2026-07-05 13:10 UTCEG score recompute
- 2026-07-05 13:10 UTCVendor advisory
- 2026-07-05 09:31 UTCEG score recompute
- 2026-07-05 09:31 UTCVendor advisory
- 2026-07-05 05:53 UTCEG score recompute
- 2026-07-05 05:53 UTCVendor advisory
- 2026-07-05 02:13 UTCEG score recompute
- 2026-07-05 02:13 UTCVendor advisory
- 2026-07-04 22:34 UTCEG score recompute
- 2026-07-04 22:34 UTCVendor advisory
- 2026-07-04 18:55 UTCEG score recompute
- 2026-07-04 18:55 UTCVendor advisory
Publicly available exploits
(10 references)Working exploit code is in the public domain (2 Metasploit modules) (8 GitHub PoCs). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCzangcc/CVE-2022-22965-rexbbFirst seen Dec 28, 2022
CVE-2022-22965\Spring-Core-RCE核弹级别漏洞的rce图形化GUI一键利用工具,基于JavaFx开发,图形化操作更简单,提高效率。
Open source ↗ - GitHub PoCtpt11fb/SpringVulScanFirst seen Jun 19, 2022
burpsuite 的Spring漏洞扫描插件。SpringVulScan:支持检测:路由泄露|CVE-2022-22965|CVE-2022-22963|CVE-2022-22947|CVE-2016-4977
Open source ↗ - GitHub PoCalt3kx/CVE-2022-22965First seen Apr 7, 2022
Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive)
Open source ↗ - GitHub PoC4nth0ny1130/spring4shell_behinderFirst seen Apr 7, 2022
CVE-2022-22965写入冰蝎webshell脚本
Open source ↗ - Metasploitexploit/multi/http/spring_framework_rce_spring4shell✓ verifiedFirst seen Apr 4, 2022
Spring Framework data-binding RCE via classLoader manipulation.
Open source ↗ - GitHub PoCSecNN/SpringFramework_CVE-2022-22965_RCEFirst seen Apr 1, 2022
SpringFramework 远程代码执行漏洞CVE-2022-22965
Open source ↗ - GitHub PoCFourCoreLabs/spring4shell-exploit-pocFirst seen Mar 31, 2022
Exploit a vulnerable Spring application with the Spring4Shell (CVE-2022-22965) Vulnerability.
Open source ↗ - GitHub PoCreznok/Spring4Shell-POCFirst seen Mar 31, 2022
Dockerized Spring4Shell (CVE-2022-22965) PoC application and exploit
Open source ↗ - Metasploitexploit/multi/http/spring_framework_rce_spring4shell✓ verifiedFirst seen Mar 31, 2022
Spring Framework Class property RCE (Spring4Shell)
Open source ↗ - GitHub PoCTheGejr/SpringShellFirst seen Mar 30, 2022
Spring4Shell - Spring Core RCE - CVE-2022-22965
Open source ↗
Past incidents using this CVE
(1)This CVE was central to one or more publicly-documented breaches. Each card links to authoritative reporting at the time of the incident.
- Spring4Shell (Spring Framework)Mar 2022
Spring Framework data-binding flaw allowed RCE on JDK 9+ web apps via classloader manipulation. Initially conflated with a Spring Cloud Function CVE, causing widespread confusion.
Source: BleepingComputer
Frequently asked(6)
What is CVE-2022-22965?
When was CVE-2022-22965 disclosed?
Is CVE-2022-22965 actively exploited?
What is the CVSS score of CVE-2022-22965?
Which products are affected by CVE-2022-22965?
How do I remediate CVE-2022-22965?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2022-22965
Is Your Infrastructure Affected by CVE-2022-22965?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.