CVE-2022-22969
Description
Spring Security OAuth 2.5.x before 2.5.2 and older versions are vulnerable to DoS via repeated Authorization Request initiation, exhausting resources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Security OAuth 2.5.x before 2.5.2 and older versions are vulnerable to DoS via repeated Authorization Request initiation, exhausting resources.
Vulnerability
Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application [1][2][3]. The vulnerability affects only OAuth 2.0 Client applications using the Authorization Code Grant flow.
Exploitation
An attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant using a single session [1][2][3]. No authentication or special privileges are required; the attacker only needs network access to the client application's authorization endpoint.
Impact
Successful exploitation can exhaust system resources (CPU, memory, or connection pools) leading to a Denial-of-Service condition [1][2][3]. The attack does not result in data disclosure or privilege escalation; it solely impacts availability.
Mitigation
Users should upgrade to Spring Security OAuth version 2.5.2 or later [2][3]. For older unsupported versions, upgrading to a supported version is recommended. No workarounds are documented. The vulnerability was disclosed on April 21, 2022 [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security.oauth:spring-security-oauth2Maven | >= 2.5.0.RELEASE, < 2.5.2.RELEASE | 2.5.2.RELEASE |
org.springframework.security.oauth:spring-security-oauth2Maven | >= 2.4.0.RELEASE, < 2.4.2.RELEASE | 2.4.2.RELEASE |
Affected products
2- Spring Security OAuth/Spring Security OAuthdescription
- ghsa-coordsRange: >= 2.5.0.RELEASE, < 2.5.2.RELEASE
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-c2cp-3xj9-97w9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-22969ghsaADVISORY
- spring.io/security/cve-2022-22969ghsaWEB
- tanzu.vmware.com/security/cve-2022-22969ghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.