Spring4Shell/RCE in Spring Core-Simple Analysis

Michael Koczwara
3 min readApr 3, 2022

Spring4Shell simple POC/CVE-2022–22965

Affected Software and Versions

Existing proofs of concept (POCs) for exploitation work under the following conditions:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

Any Java application using Spring Beans packet (spring-beans-*.jar) and using Spring parameters binding could be affected by this vulnerability.

Spring4Shell POC Application

We can follow the instructions below and create a vulnerable environment to test the exploit and affected Spring version(I have created my own docker environment in Digital Ocean).


Spring4Shell Exploit code (POC)


Quick Summary

Running Docker and vulnerable Spring app

docker environment

Executing payload

executing payload

Webshell uploaded and root access obtained