Skip to content

Fix CVE-2022-22965 (Spring4Shell): Upgrade Spring Boot to 2.6.6#16

Draft
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-spring4shell-vulnerability-again
Draft

Fix CVE-2022-22965 (Spring4Shell): Upgrade Spring Boot to 2.6.6#16
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-spring4shell-vulnerability-again

Conversation

Copilot AI commented Dec 12, 2025

Copy link
Copy Markdown
Contributor

Critical RCE vulnerability (CVE-2022-22965, CVSS 9.8) exists in Spring Framework <5.3.18. Current version 5.3.16 is vulnerable.

Changes

  • Upgraded spring-boot-starter-web from 2.5.10 → 2.6.6
    • Transitively updates Spring Framework from 5.3.16 → 5.3.18 (patched)
// build.gradle.kts
- implementation ("org.springframework.boot:spring-boot-starter-web:2.5.10")
+ implementation ("org.springframework.boot:spring-boot-starter-web:2.6.6") // Fixed CVE-2022-22965

Spring Boot 2.6.6 is the first version containing Spring Framework 5.3.18, which patches the Spring4Shell vulnerability affecting JDK 9+ / Tomcat WAR deployments.

Original prompt

This section details on the original issue you should resolve

<issue_title>CRITICAL: Remote Code Execution (Spring4Shell) in Spring Framework - CVE-2022-22965</issue_title>
<issue_description>## Vulnerability Details

Entities in this repository:

  1. AuthenticationService

Remediation Plan

Summary

A critical remote code execution vulnerability (CVE-2022-22965, 'Spring4Shell') has been identified in the Spring Framework prior to versions 5.2.20 and 5.3.18. This vulnerability allows attackers to execute arbitrary code on affected systems via data binding in Spring MVC or Spring WebFlux applications running on JDK 9+ and Apache Tomcat as a WAR deployment. The vulnerability is rated CRITICAL with a CVSS score of 9.8.

Risk Assessment

  • Severity: CRITICAL
  • CVSS Score: 9.8
  • Exploit Prerequisites:
    • JDK 9 or higher
    • Apache Tomcat as the Servlet container
    • Application packaged as WAR
    • Use of spring-webmvc or spring-webflux dependency
  • Impact: Successful exploitation can lead to full remote code execution, potentially compromising the confidentiality, integrity, and availability of the affected services.

Affected Resources

The following services are confirmed to be affected:

  • AuthenticationService (GUID: MTI5MjIyMzV8QVBNfEFQUExJQ0FUSU9OfDcyNDE5ODI2)
  • InventoryManagementService (GUID: MTI5MjIyMzV8QVBNfEFQUExJQ0FUSU9OfDcyNDI5Mzg5)
  • FuzzyService (GUID: MTI5MjIyMzV8QVBNfEFQUExJQ0FUSU9OfDcyNDMwMjky)
  • UserMappingService (GUID: MTI5MjIyMzV8QVBNfEFQUExJQ0FUSU9OfDcyNDMwMjQy)
  • RoutingService (GUID: MTI5MjIyMzV8QVBNfEFQUExJQ0FUSU9OfDY1OTA0NDU1)
  • PaymentService (GUID: MTI5MjIyMzV8QVBNfEFQUExJQ0FUSU9OfDY1OTMyMzAw)

Your Task, @copilot

  • Analyze the existing codebase for each affected service listed above.
  • Identify and modify the correct, existing file(s) where the vulnerable Spring Framework dependency is declared.
  • Do NOT generate new files if a relevant source file already exists.
  • Modify the existing resource block(s) to upgrade the Spring Framework dependency and apply the fix.

Generated by Security Agent Workflow</issue_description>

Comments on the Issue (you are @copilot in this section)


💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Co-authored-by: pagarwal-dev <224537592+pagarwal-dev@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix remote code execution vulnerability CVE-2022-22965 Fix CVE-2022-22965 (Spring4Shell): Upgrade Spring Boot to 2.6.6 Dec 12, 2025
Copilot AI requested a review from pagarwal-dev December 12, 2025 20:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CRITICAL: Remote Code Execution (Spring4Shell) in Spring Framework - CVE-2022-22965

2 participants