CVE-2022-22963

CVE-2022-22963

Vendor N/A
Product Spring Cloud Function
Weakness CWE-94 · Code injection
KEV Status Known Exploited
Published April 1, 2022
Last update October 21, 2025

CVSS base score

What the vulnerability does

01Description

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

CISA mandated remediation

02CISA Required Action

Apply updates per vendor instructions.

Key dates

03Disclosure timeline

April 1, 2022 CVE published
October 21, 2025 Record updated