We have released Spring Framework 5.3.17 to address the following CVE report.

Please review the information in the CVE report and upgrade immediately.

Spring Boot users should upgrade to 2.5.11 or 2.6.5.

CVE-2022-22950: Spring Expression DoS Vulnerability

  • Severity

    Medium

  • Vendor

    Spring by VMware

  • Description

    In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

  • Affected VMware Products and Versions

    Severity is medium unless otherwise noted.

    • Spring Framework
    • 5.3.0 to 5.3.16
    • Older, unsupported versions are also affected
  • Mitigation

    Users of affected versions should upgrade to 5.3.17+. No other steps are necessary. Releases that have fixed this issue include:

    • Spring Framework
      • 5.3.17+
  • Credit

    This vulnerability was initially discovered and responsibly reported by 4ra1n.

  • References

  • History

    2022-03-28: Initial vulnerability report published.

Reference