CVE-2022-22965

CVE-2022-22965

Vendor N/A
Product Spring Framework
Weakness CWE-94 · Code injection
KEV Status Known Exploited
Published April 1, 2022
Last update October 21, 2025

CVSS base score

What the vulnerability does

01Description

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

CISA mandated remediation

02CISA Required Action

Apply updates per vendor instructions.

Key dates

03Disclosure timeline

April 1, 2022 CVE published
October 21, 2025 Record updated