Skip to content

Fix CVE-2022-22965: Upgrade Spring Framework to 5.3.18#11

Draft
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-spring4shell-vulnerability
Draft

Fix CVE-2022-22965: Upgrade Spring Framework to 5.3.18#11
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-spring4shell-vulnerability

Conversation

Copilot AI commented Dec 11, 2025

Copy link
Copy Markdown
Contributor

Resolves critical Spring4Shell RCE vulnerability (CVE-2022-22965, CVSS 9.8) affecting Spring Framework < 5.3.18.

Changes

  • build.gradle.kts: Spring Boot 2.5.102.6.6
    • Transitively upgrades org.springframework:spring-beans from 5.3.16 to 5.3.18
    • All Spring Framework components now at patched version 5.3.18

Vulnerability Context

CVE-2022-22965 allows remote code execution via data binding in Spring MVC/WebFlux applications running on JDK 9+ with Tomcat. Exploitation requires no authentication.

dependencies {
-    implementation ("org.springframework.boot:spring-boot-starter-web:2.5.10")
+    implementation ("org.springframework.boot:spring-boot-starter-web:2.6.6")
}

Verified via dependency tree: all org.springframework:* artifacts now resolve to 5.3.18.

Original prompt

This section details on the original issue you should resolve

<issue_title>CRITICAL: Remote Code Execution (Spring4Shell) in Spring Framework (CVE-2022-22965)</issue_title>
<issue_description>## Vulnerability Details

Entities in this repository:

  1. AuthenticationService

Remediation Plan

Summary

A critical remote code execution vulnerability (CVE-2022-22965, aka Spring4Shell) exists in the Spring Framework prior to versions 5.2.20 and 5.3.18. This vulnerability allows attackers to execute arbitrary code on affected systems via data binding in Spring MVC or Spring WebFlux applications. The vulnerability is present when running on JDK 9+, with Apache Tomcat as the Servlet container, and the application is packaged as a WAR file. The affected service is: AuthenticationService (MTI5MjIyMzV8QVBNfEFQUExJQFUSU9OfDcyNDE5ODI2).

Risk Assessment

  • Severity: CRITICAL (CVSS 9.8)
  • Impact: Remote code execution, full system compromise
  • Exploitability: High, with public exploits available
  • Affected Library: org.springframework:spring-beans (current version: 5.3.16)

Affected Resources

  • Service: AuthenticationService
  • Library: org.springframework:spring-beans (version 5.3.16)

References

Your Task, @copilot

  • Analyze the existing codebase to locate where the org.springframework:spring-beans dependency is declared (e.g., in build.gradle, pom.xml, or other dependency management files).
  • Identify and modify the correct, existing file that manages dependencies for the AuthenticationService.
  • Do NOT generate new files if a relevant dependency management file already exists.
  • Modify the existing resource block for org.springframework:spring-beans to upgrade to version 5.3.18 or later, as per the official patch guidance.

Generated by Security Agent Workflow</issue_description>

Comments on the Issue (you are @copilot in this section)


✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

…mework 5.3.18)

Co-authored-by: pagarwal-dev <224537592+pagarwal-dev@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix critical remote code execution vulnerability in AuthenticationService Fix CVE-2022-22965: Upgrade Spring Framework to 5.3.18 Dec 11, 2025
Copilot AI requested a review from pagarwal-dev December 11, 2025 18:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CRITICAL: Remote Code Execution (Spring4Shell) in Spring Framework (CVE-2022-22965)

2 participants