Spring4Shell-POC (CVE-2022-22965)


Spring4Shell (CVE-2022-22965) Proof Of Concept/Information

Early this morning, multiple sources has informed of a possible RCE exploit in the popular java framework spring.

The naming of this flaw is based on the similarities to the infamous Log4j LOG4Shell.



  • CVE-2022-22965


Found intresting poc here : https://github.com/craig/SpringCore0day/blob/main/exp.py 1. & https://twitter.com/vxunderground/status/1509170582469943303

https://github.com/reznok/Spring4Shell-POC – Docker, POC


!!(The following mitigations are only theoretical as nothing has been confirmed)!!

JDK Version under 9

Cyberkendra informed that JDK versions lower than JDK 9

You can easily check this by running

java -version

That will display something similar to this

openjdk version "17.0.2" 2022-01-18
OpenJDK Runtime Environment (build 17.0.2+8-Ubuntu-120.04)
OpenJDK 64-Bit Server VM (build 17.0.2+8-Ubuntu-120.04, mixed mode, sharing)

If your JDK version is under 8, you might be safe, but nothing is confirmed yet

The following article will be updated

Check if you are using the spring framework

Do a global search after “spring-beans-.jar” and “spring.jar”

find . -name spring-beans*.jar

WIP :=)


  1. POC, translated fron this repository.


View Github