Spring Cloud Function SpEL Injection Remote Code Execution (CVE-2022-22963)
Overview
Spring Cloud Function SpEL Injection Remote Code Execution, tracked as CVE-2022-22963, affects Spring Cloud Function applications that use routing functionality with vulnerable expression handling. Spring Cloud Function lets developers expose business logic as functions across different transports, so unsafe expression evaluation can sit directly on a request-handling path.
Vulnerability Overview
CVE-2022-22963 is a Spring Expression Language injection issue in Spring Cloud Function routing. When routing functionality is enabled, a user-supplied routing expression can be evaluated in a way that allows code execution rather than only safe function selection.
The vulnerable behavior is tied to how crafted SpEL input is processed as a routing expression. In affected versions, that can lead to remote code execution and access to local resources.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.8. Successful exploitation can allow unauthenticated remote code execution against an affected Spring Cloud Function application.
Because exploitation can happen over the network without authentication or user interaction, vulnerable public applications should be prioritized for patching. CVE-2022-22963 is also listed in the CISA Known Exploited Vulnerabilities catalog.
Vulnerability Scope
The affected versions include Spring Cloud Function 3.1.6, 3.2.2, and older unsupported versions when routing functionality is used. Applications that do not expose the vulnerable routing behavior or that run fixed Spring Cloud Function versions are outside the intended vulnerable condition.
The most exposed systems are Java services where function routing is reachable from untrusted requests and the dependency has not been updated according to the vendor advisory.
Lab Focus
This Hackviser lab focuses on understanding how expression language evaluation can become a code execution primitive in server-side frameworks. You will practice identifying the vulnerable Spring Cloud Function routing condition, interpreting the affected version range, and connecting SpEL injection risk to secure framework configuration.