CVSS 3.1 Score 9.8 of 10 (high)


Published Apr 1, 2022
Updated: Feb 9, 2023


The vulnerability with CVE ID CVE-2022-22965, also known as Spring4Shell or SpringShell, affects Spring MVC or Spring WebFlux applications running on JDK 9+. This vulnerability allows for remote code execution (RCE) through data binding. However, the specific exploit requires the application to be deployed on Tomcat as a WAR deployment. If the application is running as a Spring Boot executable jar, it is not vulnerable. It is important to note that while this specific exploit requires Tomcat and a WAR deployment, there may be other ways to exploit the vulnerability. Organizations should ensure that their Spring MVC or Spring WebFlux applications are properly secured to mitigate any potential risk of RCE.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2022-22965 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options