PackageFix / CISA KEV / CVE-2022-22965

CVE-2022-22965 — Spring4Shell — Spring Framework CRITICAL

🔴 CISA KEV — Actively Exploited

CVSS Score: 9.8 · CRITICAL Severity

Spring4Shell is a critical remote code execution vulnerability in Spring Framework MVC and WebFlux applications running on Java 9 or later. An attacker can exploit data binding to write a malicious JSP file to the server and execute arbitrary code. Affected the majority of Spring Boot applications deployed on Apache Tomcat with Java 9+.

🔴 Confirmed Active Exploitation

CVE-2022-22965 is on the CISA Known Exploited Vulnerabilities catalog. This vulnerability is being used in real attacks against production systems right now. Fix immediately — do not wait for your next release cycle.

Affected Packages

EcosystemPackageVulnerableSafe versionFix
Java/Mavenspring-webmvc< 5.3.18 / < 5.2.206.1.6 (or 5.3.18 minimum)Fix guide →
Java/Mavenspring-webflux< 5.3.18 / < 5.2.206.1.6Fix guide →
Java/Mavenspring-boot< 2.6.6 / < 2.5.123.2.4Fix guide →

Vulnerability Timeline

Mar 29, 2022Zero-day PoC published on GitHub — exploit in the wild before patch.
Mar 31, 2022Spring Framework 5.3.18 and 5.2.20 released with fix.
Apr 1, 2022Spring Boot 2.6.6 and 2.5.12 released.
Apr 4, 2022CISA adds to KEV catalog. Mass scanning detected globally.
2022–2026Ongoing exploitation of unpatched Spring deployments.

Paste your manifest — get back a fixed version with all CVEs patched in seconds.

Open PackageFix →

No signup · No CLI · No GitHub · Runs 100% in your browser

Frequently Asked Questions

What is Spring4Shell?
Spring4Shell (CVE-2022-22965) is a remote code execution vulnerability in Spring Framework's data binding layer. An attacker sends specially crafted HTTP parameters that cause Spring to write a web shell to the server. Requires Java 9+ and Apache Tomcat deployment.
Am I affected by Spring4Shell?
You are affected if you use Spring MVC or WebFlux with Spring Framework before 5.3.18/5.2.20, deployed on Apache Tomcat, running on Java 9+. Embedded Tomcat (Spring Boot) is also affected.
What is the fix for Spring4Shell?
Upgrade Spring Framework to 5.3.18+ or 6.1.6+. If using Spring Boot, upgrade to 2.6.6+, 2.5.12+, or 3.x. Paste your pom.xml into PackageFix for transitive version resolution.
Is Spring4Shell still being exploited?
Yes — CISA KEV confirms ongoing exploitation. Unpatched Spring deployments are actively targeted by automated scanners and ransomware campaigns.
How do I find my Spring version in a Maven project?
Paste your pom.xml into PackageFix. It resolves spring.version property references and transitive Spring dependencies to confirm your exact version.

Related Guides

All CISA KEV Packages

Full actively exploited list

Fix spring-webmvc

Java/Maven fix guide

Supply Chain Attack Guide

5 attacks npm audit misses

Weekly CVE Digest

This week's critical CVEs