Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
English
Entry № 1205

Spring4Shell (CVE-2022-22965)

Reviewed byCybersecurity entrepreneur & security researcher

What is Spring4Shell (CVE-2022-22965)?

Spring4Shell (CVE-2022-22965)A 2022 remote code execution vulnerability in Spring Framework caused by unsafe data binding on JDK 9+ that let attackers manipulate Tomcat properties to deploy a web shell.

Disclosed in late March 2022, Spring4Shell (CVE-2022-22965) is a remote code execution flaw in the Spring Framework's request mapping with WebMvc/WebFlux on Java 9+ when applications are deployed on Tomcat as WAR files. By sending crafted parameters that traverse class.module.classLoader, attackers could overwrite Tomcat's logging configuration to write an attacker-controlled JSP file inside the webroot, granting unauthenticated RCE. It was occasionally confused with the unrelated CVE-2022-22963 in Spring Cloud Function. Defences are upgrading to Spring Framework 5.3.18/5.2.20 or later, JDK upgrades alone are not sufficient, blocking the documented parameter patterns at a WAF, and avoiding monolithic Tomcat WAR deployments.

Examples

  1. 01

    Sending a crafted POST with class.module.classLoader parameters to write a JSP shell into a Tomcat webapp.

  2. 02

    Mass scanning Spring Boot apps deployed as WARs to plant web shells after Spring4Shell disclosure.

Frequently asked questions

What is Spring4Shell (CVE-2022-22965)?

A 2022 remote code execution vulnerability in Spring Framework caused by unsafe data binding on JDK 9+ that let attackers manipulate Tomcat properties to deploy a web shell. It belongs to the Vulnerabilities category of cybersecurity.

What does Spring4Shell (CVE-2022-22965) mean?

A 2022 remote code execution vulnerability in Spring Framework caused by unsafe data binding on JDK 9+ that let attackers manipulate Tomcat properties to deploy a web shell.

How do you defend against Spring4Shell (CVE-2022-22965)?

Defences for Spring4Shell (CVE-2022-22965) typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for Spring4Shell (CVE-2022-22965)?

Common alternative names include: CVE-2022-22965, Spring core RCE.

Related terms