VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 1, 2022· Updated Aug 3, 2024

CVE-2022-22950

CVE-2022-22950

Description

A specially crafted SpEL expression in Spring Framework 5.3.0 through 5.3.16 can cause a denial of service by exceeding array element thresholds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A specially crafted SpEL expression in Spring Framework 5.3.0 through 5.3.16 can cause a denial of service by exceeding array element thresholds.

Vulnerability

In Spring Framework versions 5.3.0 through 5.3.16 (and older unsupported versions), the Spring Expression Language (SpEL) evaluation does not enforce a limit on the number of elements declared in an array constructor [1]. A user can supply a specially crafted SpEL expression that attempts to create an array with an extremely large number of elements, leading to excessive memory allocation. The fix introduces a maximum array element threshold of 256K (256 * 1024) and a corresponding error message MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED in version 5.3.17 [2][3].

Exploitation

An attacker needs the ability to submit a SpEL expression for evaluation, which typically requires either direct user input to a vulnerable application or the ability to influence expression templates. No authentication is required if the expression interface is publicly exposed. The attack consists of providing an array declaration with a size value exceeding safe limits, such as new int[Integer.MAX_VALUE], triggering the denial of service [2][3].

Impact

Successful exploitation results in a denial of service (DoS) condition due to high memory consumption or resource exhaustion when the SpEL evaluator attempts to allocate an oversized array. This can degrade or crash the application server, impacting availability [1].

Mitigation

Fixed in Spring Framework versions 5.3.17 and 5.2.20.RELEASE [2][3][4]. Users should upgrade to these or later versions. For older unsupported versions, no official patch is available; users must migrate to a supported version. No workaround is documented.

References
  1. NVD - CVE-2022-22950
  2. Improve diagnostics in SpEL for large array creation · spring-projects/spring-framework@83ac659
  3. Improve diagnostics in SpEL for large array creation
  4. Release v5.2.20.RELEASE · spring-projects/spring-framework

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework:spring-expressionMaven
>= 5.3.0, < 5.3.175.3.17
org.springframework:spring-expressionMaven
< 5.2.20.RELEASE5.2.20.RELEASE

Affected products

2

Patches

1
83ac65915871

Improve diagnostics in SpEL for large array creation

https://github.com/spring-projects/spring-frameworkSam BrannenMar 8, 2022via ghsa
commit
2 files changed · +27 3
  • spring-expression/src/main/java/org/springframework/expression/spel/ast/ConstructorReference.java+22 2 modified
    @@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,10 +53,18 @@
  *
  * @author Andy Clement
  * @author Juergen Hoeller
+ * @author Sam Brannen
  * @since 3.0
  */
 public class ConstructorReference extends SpelNodeImpl {
 
+	/**
+	 * Maximum number of elements permitted in an array declaration, applying
+	 * to one-dimensional as well as multi-dimensional arrays.
+	 * @since 5.3.17
+	 */
+	private static final int MAX_ARRAY_ELEMENTS = 256 * 1024; // 256K
+
 	private final boolean isArrayConstructor;
 
 	@Nullable
@@ -259,14 +267,19 @@ private TypedValue createArray(ExpressionState state) throws EvaluationException
 					// Shortcut for 1-dimensional
 					TypedValue o = this.dimensions[0].getTypedValue(state);
 					int arraySize = ExpressionUtils.toInt(typeConverter, o);
+					checkNumElements(arraySize);
 					newArray = Array.newInstance(componentType, arraySize);
 				}
 				else {
 					// Multi-dimensional - hold onto your hat!
 					int[] dims = new int[this.dimensions.length];
+					long numElements = 1;
 					for (int d = 0; d < this.dimensions.length; d++) {
 						TypedValue o = this.dimensions[d].getTypedValue(state);
-						dims[d] = ExpressionUtils.toInt(typeConverter, o);
+						int arraySize = ExpressionUtils.toInt(typeConverter, o);
+						dims[d] = arraySize;
+						numElements *= arraySize;
+						checkNumElements(numElements);
 					}
 					newArray = Array.newInstance(componentType, dims);
 				}
@@ -327,6 +340,13 @@ else if (arrayTypeCode == TypeCode.SHORT) {
 		return new TypedValue(newArray);
 	}
 
+	private void checkNumElements(long numElements) {
+		if (numElements >= MAX_ARRAY_ELEMENTS) {
+			throw new SpelEvaluationException(getStartPosition(),
+					SpelMessage.MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED, MAX_ARRAY_ELEMENTS);
+		}
+	}
+
 	private void populateReferenceTypeArray(ExpressionState state, Object newArray, TypeConverter typeConverter,
 			InlineList initializer, Class<?> componentType) {
  • spring-expression/src/main/java/org/springframework/expression/spel/SpelMessage.java+5 1 modified
    @@ -260,7 +260,11 @@ public enum SpelMessage {
 
 	/** @since 5.3.17 */
 	EXCEPTION_COMPILING_EXPRESSION(Kind.ERROR, 1074,
-			"An exception occurred while compiling an expression");
+			"An exception occurred while compiling an expression"),
+
+	/** @since 5.3.17 */
+	MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED(Kind.ERROR, 1075,
+			"Array declares too many elements, exceeding the threshold of ''{0}''");
 
 
 	private final Kind kind;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.