Critical severityCISA KEVNVD Advisory· Published Apr 1, 2022· Updated Oct 21, 2025
CVE-2022-22963
CVE-2022-22963
Description
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.cloud:spring-cloud-function-contextMaven | >= 3.2.0, < 3.2.3 | 3.2.3 |
org.springframework.cloud:spring-cloud-function-contextMaven | < 3.1.7 | 3.1.7 |
Affected products
1- Spring/Cloud Functiondescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-6v73-fgf6-w5j7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-22963ghsaADVISORY
- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-scf-rce-DQrHhJxHghsavendor-advisoryWEB
- packetstormsecurity.com/files/173430/Spring-Cloud-3.2.2-Remote-Command-Execution.htmlghsaWEB
- psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005ghsaWEB
- tanzu.vmware.com/security/cve-2022-22963ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
News mentions
0No linked articles in our index yet.