Vulnerability in the Spring Framework (CVE-2022-22965)

March 31, 2022

Updated Apr. 1, 2022


A critical vulnerability has been found in the widely used Java framework Spring Core. While Remote Code Execution (RCE) is possible and a Proof-of-Concept has already been released, how to exploit the vulnerability can vary based on system configuration and research on it is still evolving.

Vulnerable Library

  • Spring Core <= 5.2.19, <= 5.3.17
  • Spring Boot <= 2.6.5

Exploit Requirements (for the known scenario)

  • JDK9 and above
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
  • External/stand-alone Tomcat application server confirmed, other application servers unknown


  • Upgrade the Spring Framework to 5.3.18 or 5.2.20 or later  

  • Upgrade Spring Boot to 2.6.6 or later

  • Late yesterday new versions of Tomcat were released (versions 8.5.78, 9.0.62, 10.0.20, 10.1.0-M14) that hardened the class loader against CVE-2022-22965.


The blog below, includes information on deploying work arounds for this vulnerability, however, these should only be used as temporary measures.

Additional Steps

If you are unable to quickly mitigate this vulnerability on a P3 or P4 system, please open a ticket with ISO by emailing

If you are using a vendor supplied Spring Framework/Boot application, please consult with your vendor on supported mitigation actions.