Back to KEVs

CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific...

Basic Information

CVE State: PUBLISHED
Reserved Date: January 10, 2022
Published Date: April 01, 2022
Last Updated: January 29, 2025
Vendor: n/a
Product: Spring Framework
Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2022-04-04 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2022-12-12 16:30:05 UTC) Source

References

https://tanzu.vmware.com/security/cve-2022-22965 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67 https://www.oracle.com/security-alerts/cpuapr2022.html https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005 http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf https://www.oracle.com/security-alerts/cpujul2022.html http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2022-04-04 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/spring_framework_rce_spring4shell.rb	2025-04-29 11:01:23 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-22965.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

spring_framework_rce_spring4shell

Type: metasploit • Created: Unknown

Metasploit module for CVE-2022-22965

jakabakos/CVE-2022-22965-Spring4Shell

Type: github • Created: 2023-06-20 11:45:29 UTC • Stars: 2

PoC and exploit for CVE-2022-22965 Spring4Shell

BKLockly/CVE-2022-22965

Type: github • Created: 2023-06-03 16:39:50 UTC • Stars: 3

Poc&Exp,支持批量扫描,反弹shell

zangcc/CVE-2022-22965-rexbb

Type: github • Created: 2022-12-28 04:50:16 UTC • Stars: 100

CVE-2022-22965\Spring-Core-RCE核弹级别漏洞的rce图形化GUI一键利用工具，基于JavaFx开发，图形化操作更简单，提高效率。

devengpk/CVE-2022-22965

Type: github • Created: 2022-12-12 16:30:05 UTC • Stars: 0

iloveflag/Fast-CVE-2022-22965

Type: github • Created: 2022-11-08 13:45:35 UTC • Stars: 4

CVE-2022-22965图形化检测工具

D1mang/Spring4Shell-CVE-2022-22965

Type: github • Created: 2022-07-05 03:03:31 UTC • Stars: 2

EXP for Spring4Shell(CVE-2022-22965)

khidottrivi/CVE-2022-22965

Type: github • Created: 2022-04-27 07:57:50 UTC • Stars: 3

mariomamo/CVE-2022-22965

Type: github • Created: 2022-04-23 09:01:22 UTC • Stars: 5

p1ckzi/CVE-2022-22965

Type: github • Created: 2022-04-12 14:59:42 UTC • Stars: 21

spring4shell | CVE-2022-22965

CalumHutton/CVE-2022-22965-PoC_Payara

Type: github • Created: 2022-04-07 15:26:15 UTC • Stars: 3

wikiZ/springboot_CVE-2022-22965

Type: github • Created: 2022-04-07 02:30:26 UTC • Stars: 6

CVE-2022-22965 pocsuite3 POC

alt3kx/CVE-2022-22965

Type: github • Created: 2022-04-07 00:08:16 UTC • Stars: 102

Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive)

LudovicPatho/CVE-2022-22965_Spring4Shell

Type: github • Created: 2022-04-05 20:34:36 UTC • Stars: 2

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.