All Spring Framework CVEs — Complete Vulnerability History
Spring Framework is the most widely-used Java application framework. It releases security patches frequently. The most severe CVE in its history is Spring4Shell (CVE-2022-22965), which allowed unauthenticated remote code execution.
Java/Maven
Millions weekly downloads
7 CVEs total
4 CRITICAL
🔴 CISA KEV
CVE history — all 7 known vulnerabilities
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE ID | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2018-1270 | 2018 | CRITICAL | RCE via STOMP over WebSocket messaging | Fixed in 4.3.16 |
| CVE-2018-1275 | 2018 | CRITICAL | RCE via Spring Data Commons binding | Fixed in 5.0.5 |
| CVE-2021-22096 | 2021 | MEDIUM | Log injection via multipart request parsing | Fixed in 5.3.12 |
| CVE-2022-22965 | 2022 | 🔴CRITICAL | Spring4Shell — RCE via data binding on Java 9+ — CISA KEV | Fixed in 5.3.18 |
| CVE-2022-22968 | 2022 | MEDIUM | Input pattern bypass in DataBinder | Fixed in 5.3.18 |
| CVE-2023-20860 | 2023 | CRITICAL | Security bypass via wildcard pattern matching in Spring Security | Fixed in 6.0.7 |
| CVE-2024-22243 | 2024 | MEDIUM | Open redirect via forwarded URL patterns | Fixed in 6.1.3 |
Current safe version
✓ Update to 6.1.6
The latest safe version addresses all 7 known CVEs listed above.
Before and after
Vulnerable:
5.3.18
Fixed:
6.1.6
Then run: mvn dependency:resolve
Paste your manifest — see your exact installed version against this full CVE list.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
What is Spring4Shell and how is it different from Log4Shell?
Both are critical Java RCE vulnerabilities discovered around the same time (early 2022 vs late 2021). Log4Shell is in the logging library — exploited via log messages. Spring4Shell is in the web framework — exploited via HTTP request parameter binding with malicious class paths. Different attack vectors, similar severity.
Do I need Java 9+ to be vulnerable to Spring4Shell?
Yes — CVE-2022-22965 specifically requires Java 9+ and deployment on Apache Tomcat (not embedded Tomcat). Spring Boot with embedded Tomcat is not affected in most configurations. Check your deployment setup before assuming you're safe.
Is Spring Framework 5.x still receiving security patches?
Spring 5.3.x is maintained until December 2024. Spring 6.x is the current generation. If you're on Spring 5.x, you should be planning your migration to Spring 6.x (which requires Java 17+).
How do I check my Spring version in a Maven project?
Run mvn dependency:tree | grep spring-core to see the resolved version. Or paste your pom.xml into PackageFix — it resolves property variables like ${spring.version} and checks transitive Spring dependencies.