Spring Cloud Framework commits fix for code injection flaw

A fix seems to have been pushed but is not yet available in a stable release

Cybersecurity researchers have revealed a code injection flaw in the Spring Cloud computing framework that poses a risk of a remote attack.

On March 28, infosec firm NSFOCUS published a security advisory describing a vulnerability in Spring Cloud Function that allows attackers to “deliver a specially crafted Spring Expression Language (SpEL) as a routing expression that can cause the access to local resources”.

Keep up to date with the latest security research news

VMWare Spring Cloud is an open source collection of development projects for distributed systems on Spring, ranging from service discovery to configuration management. Spring Cloud Function is a project that abstracts all the details and transport infrastructure, allowing developers to focus on assembling applications based on business logic components.

The Spring Cloud project is on GitHub.

Trigger point

According to NSFOCUS, the vulnerability is triggered by the parameter in the request header. This parameter is treated as an SpEL expression when routing is used.

If not properly escaped, expressions can result in expression language injections (EL). Depending on the severity of the EL injection, attackers may be able to access server-side content, tamper with functionality, hijack accounts, and more.

In this case, the bug is specifically an SpEL injection. Researchers said this Spring Cloud Function vulnerability, tracked as CVE-2022-22963 and classified as a medium severity score, could lead to remote injection of arbitrary code.


Spring Cloud Function versions 3.1.6, 3.2.2 and earlier versions of the technology are affected.

Researchers have released details about the vulnerability along with proof-of-concept (PoC) exploit code.

In a notice posted by Oleg Zhurakousky, the developer said that users should upgrade to Spring Cloud Function versions 3.1.7 or 3.2.3 to fix the security flaw.

At the time of writing, a patch has been committed but does not belong to a stable branch. In other words, a fix is ​​ready for the next release but has not yet been implemented.

YOU MIGHT ALSO LIKE HTML parser bug triggers security flaw in Chromium XSS

Comments are closed.