Retour au blog
Spring4ShellSpringJavaCVE-2022-22965RCEframework

Spring4Shell CVE-2022-22965: Critical RCE in Spring Framework

Spring4Shell is a remote code execution vulnerability in Spring Framework. Analysis of CVE-2022-22965, exploitation conditions and how to protect Java applications.

23 avril 20263 min de lecture

In March 2022, the Java community was on high alert: Spring4Shell (CVE-2022-22965) had just been disclosed — a remote code execution vulnerability in Spring Framework, one of the most widely used Java frameworks in the world. The name echoed Log4Shell, and the panic was similar: millions of applications potentially exposed.

What is Spring4Shell?

CVE-2022-22965 is a data binding vulnerability in Spring MVC and Spring WebFlux. It exploits Spring's automatic HTTP parameter-to-Java-object binding to access sensitive JVM ClassLoader properties, ultimately enabling arbitrary file writes on the server.

CVSS Score: 9.8 (Critical)
Published: March 31, 2022
Affected versions: Spring Framework 5.3.0–5.3.17, 5.2.0–5.2.19

Exploitation Conditions

Unlike Log4Shell which was near-universal, Spring4Shell requires specific conditions to be exploitable:

  1. JDK 9 or higher — the vulnerability exploits changes in Java 9+'s module system
  2. Apache Tomcat as the servlet container (classic WAR packaging)
  3. Spring MVC or WebFlux with data binding enabled
  4. No @RequestParam usage — methods using @RequestBody or @RequestParam are not directly vulnerable

These conditions limited exploitation compared to Log4Shell, but a very large number of enterprise applications matched this profile.

Exploitation Mechanism

The exploit leverages Spring's data binding behavior. By sending an HTTP request with specially crafted parameters, an attacker can:

  1. Access class.module.classLoader properties through data binding
  2. Modify Tomcat's AccessLogValve configuration
  3. Force Tomcat to write a JSP web shell to the webapps/ directory
  4. Execute arbitrary commands via the web shell
POST /path HTTP/1.1
Content-Type: application/x-www-form-urlencoded

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20...
class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp
class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT
class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar
class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=

CVE-2022-22950 and CVE-2022-22963: Other Spring CVEs

During the same period, two other Spring vulnerabilities were disclosed:

  • CVE-2022-22950: DoS in Spring Expression Language (SpEL)
  • CVE-2022-22963: RCE in Spring Cloud Function via SpEL (CVSS 9.8) — sometimes confused with Spring4Shell, easier to exploit but limited scope (Spring Cloud only)

Detecting the Vulnerability

Scan Your Maven/Gradle Dependencies

# With Maven
mvn dependency:tree | grep spring

# Find vulnerable versions
mvn dependency:tree | grep "spring-webmvc\|spring-webflux" | grep "5\.3\.\(0\|1[0-7]\)\|5\.2\."

With OWASP Dependency-Check

dependency-check --project "MyApp" --scan . --format HTML

How to Protect Your Applications

1. Update Spring Framework

<!-- Maven — patched versions -->
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-webmvc</artifactId>
    <version>5.3.18</version> <!-- or 5.2.20+ -->
</dependency>

Spring Boot 2.6.6+ and 2.5.12+ include the patched versions.

2. Update Spring Boot

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.6.6</version>
</parent>

3. Workaround Without Updating

If an immediate update isn't possible, disable data binding for class fields:

@InitBinder
public void initBinder(WebDataBinder binder) {
    String[] denylist = {"class.*", "Class.*", "*.class.*", "*.Class.*"};
    binder.setDisallowedFields(denylist);
}

Or apply globally via a @ControllerAdvice.

4. WAF Rules

WAF rules blocking class.module.classLoader patterns in HTTP parameters were quickly published by vendors (ModSecurity, Cloudflare, AWS WAF).

Real Impact vs. Initial Panic

In practice, Spring4Shell exploitation was less catastrophic than Log4Shell for several reasons:

  • Prerequisites (JDK 9+, Tomcat WAR) excluded many deployments
  • Spring Boot Executable JAR (the most common deployment mode since ~2018) was not affected by the Tomcat vector
  • The community responded quickly with patches and workarounds

That said, exploitation campaigns did occur, notably by botnets dropping cryptocurrency miners.

Check if your Spring applications are exposed on cveo.tech — search for spring-webmvc or CVE-2022-22965 to identify relevant CVEs.

Surveillez les CVE avec l'IA

Recherche IA, scoring CVSS, surveillance de parc et alertes automatiques.

Essayer la recherche IA →Créer un compte gratuit

Articles similaires

Comment suivre les vulnérabilités CVE de son parc informatique

Guide complet pour surveiller et gérer les CVE affectant votre parc informatique : méthodes, outils et bonnes pratiques pour les équipes IT et RSSI.

Guide du patch management : comment traiter les CVE rapidement et efficacement

Découvrez comment mettre en place un processus de patch management CVE robuste : SLA par sévérité, étapes clés, outils et erreurs à éviter pour protéger votre SI.

Les meilleurs outils CVE en 2026 : comparatif complet

Comparatif des meilleurs outils de gestion et surveillance CVE en 2026 : solutions open source, plateformes SaaS, scanners. Quel outil choisir selon votre contexte ?