A fix appears to have been pushed but is not available in a stable release yet

Researchers have uncovered a code injection flaw in the Spring Cloud framework

Cybersecurity researchers have disclosed a remote code execution (RCE) flaw in the Spring Cloud computing framework that poses a remote attack risk.

On March 28, infosec firm NSFOCUS published a security advisory describing a vulnerability in Spring Cloud Function that allows attackers to “provide a specially crafted Spring Expression Language (SpEL) as a routing-expression that may result in access to local resources”.

Catch up on the latest security research news

VMWare Spring Cloud is an open source collection of developer projects for distributed systems on Spring, ranging from service discovery to configuration management. Spring Cloud Function is a project that abstracts all transport details and infrastructure, allowing developers to concentrate on putting together applications based on business logic components.

The Spring Cloud project is on GitHub.

Trigger point

According to NSFOCUS, the vulnerability is triggered by the spring.cloud.function.routing-expression parameter in the request header. This parameter is processed as a SpEL expression when routing is in use.

If inadequately protected, expressions can lead to Expression Language (EL) injections. Depending on the EL injection’s severity, attackers may be able to access server-side content, tamper with functionality, hijack accounts, or more.

In this case, the bug is specifically a SpEL injection. The researchers said that this Spring Cloud Function vulnerability, tracked as CVE-2022-22963 and rated as critical (CVSS 9.8), could result in the remote injection of arbitrary code.


Spring Cloud Function versions 3.1.6, 3.2.2, and older version of the technology are impacted.

The researchers have published details of the vulnerability along with proof-of-concept (PoC) exploit code.

In a notice published by Oleg Zhurakousky, the developer said users would need to upgrade to Spring Cloud Function versions 3.1.7 or 3.2.3 to patch against the security flaw.

At the time of writing, a fix has been committed but does not belong to a stable branch. In other words, a patch is ready for the next release but has not been implemented yet.

YOU MAY ALSO LIKE HTML parser bug triggers Chromium XSS security flaw