CVE-2022-22965

UnscoredEPSS 99.7%CISA KEVCWE-94 · Code Injection

Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.

NVD only has a brief summary for this one — the community fills in the real-world detail below.

References

Community ground truth

Community verdict

3 verdicts

Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

to add your verdict.

Community real-world severity: High (High 2 · Medium 1)

Verdicts are the quick signal — notes are the evidence and fixes behind them.

0
Field note · Mara OkonkwoCurated
Real RCE, but conditional: needs Spring MVC/WebFlux data binding, JDK 9+, and (classically) a WAR deployment on Tomcat. Spring Boot fat-JAR apps were largely not exploitable out of the box. Don't treat it as Log4Shell-tier.
0
Remediation · Nadia PetrovaCurated
Upgrade to Spring Framework 5.3.18 / 5.2.20+ (and Boot 2.6.6 / 2.5.12+). If you can't, the disallowedFields @ControllerAdvice workaround blocks the class.* binding path.