Remote Code Execution (Spring4Shell)

Severity: Critical

Invicti detected that the application is vulnerable to a remote code execution (RCE) vulnerability mainly affecting Spring MVC or Spring WebFlux applications on JDK 9+.


The vulnerability allows attackers to execute arbitrary Java code on the target system. The attacker may also be able to execute arbitrary system commands.

Exploit of the vulnerability is known widely and should be addressed as soon as possible.


Affected applications should update to the latest available version of Spring. If you are using version 3.5.X you should update to version 3.5.18 or higher. Affected users with Spring 5.2.X should at least update their installations to 5.2.20 or above. If no immediate update to the higher version is possible, you can also use the workaround provided in the official spring announcement until the update can be rolled out.


Search Vulnerability

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works