How severe is GHSA-36p3-wjmg-h94x?

GHSA-36p3-wjmg-h94x has a CVSS score of 9.8/10, rated CRITICAL. Immediate patching is strongly recommended.

Which packages are affected by GHSA-36p3-wjmg-h94x?

GHSA-36p3-wjmg-h94x affects the following packages: org.springframework:spring-beans (Maven), org.springframework:spring-beans (Maven), org.springframework:spring-webmvc (Maven), org.springframework:spring-webmvc (Maven), org.springframework.boot:spring-boot-starter-web (Maven), org.springframework.boot:spring-boot-starter-web (Maven), org.springframework:spring-webflux (Maven), org.springframework:spring-webflux (Maven), and 2 more. Ecosystems affected: Maven.

How do I fix GHSA-36p3-wjmg-h94x?

Update org.springframework:spring-beans to version 5.2.20.RELEASE or later. Run your dependency manager's update command and verify no transitive dependencies pin the vulnerable version. Use O3 Security's SCA scanner to confirm the fix is applied across your entire dependency tree.

Is GHSA-36p3-wjmg-h94x actively exploited in the wild?

Yes. There are 106 known exploit references for GHSA-36p3-wjmg-h94x, including 65 in-the-wild exploitations observed on GitHub and other sources. Treat this as actively exploitable and prioritize patching immediately. All exploit code should only be run in an isolated sandbox environment for research or authorized testing — never against production systems without explicit written authorization.

What is the EPSS score for GHSA-36p3-wjmg-h94x?

GHSA-36p3-wjmg-h94x has an EPSS (Exploit Prediction Scoring System) score of 94.4%, placing it in the 100th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. A score above 50% indicates significantly elevated exploitation risk — immediate patching is strongly recommended.

Is GHSA-36p3-wjmg-h94x in the CISA Known Exploited Vulnerabilities catalog?

Yes. GHSA-36p3-wjmg-h94x (Spring Framework JDK 9+ Remote Code Execution Vulnerability) was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on 2022-04-04. CISA required all US federal civilian agencies to remediate this vulnerability by 2022-04-25. The required action was: Apply updates per vendor instructions. Being listed in the KEV catalog is the strongest possible confirmation of active exploitation — treat this as a critical priority.

CISA KEV·Added 2022-04-04 — agencies required to remediate by 2022-04-25

☕ Maven

GHSA-36p3-wjmg-h94x

Q: Can O3 Security detect GHSA-36p3-wjmg-h94x in my codebase?

Yes. O3 Security's Impact-Aware SCA scanner identifies GHSA-36p3-wjmg-h94x across all affected ecosystems (Maven), correlates it against your dependency graph, and uses function-level reachability to confirm whether the vulnerable code path is actually reachable in your application — eliminating false positives. You can scan your stack for GHSA-36p3-wjmg-h94x directly from the O3 platform.

CRITICAL

Remote Code Execution in Spring Framework

Also known asCVE-2022-22965

Published

Mar 31, 2022

Updated

Oct 22, 2025

Affected

10 pkgs

Patched

10 / 10

Exploits

106 known

EPSS Exploitation Probability

via FIRST.org ↗

94.4%probability of exploitation in next 30 days

Very High Risk100th percentile0.00%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

10 pkgs affected

☕org.springframework:spring-beans☕org.springframework:spring-beans☕org.springframework:spring-webmvc☕org.springframework:spring-webmvc☕org.springframework.boot:spring-boot-starter-web☕org.springframework.boot:spring-boot-starter-web☕org.springframework:spring-webflux☕org.springframework:spring-webflux+2 more

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.

Description

Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as Spring4Shell.

Impact

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

These are the prerequisites for the exploit:

JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as WAR
spring-webmvc or spring-webflux dependency

Patches

Spring Framework 5.3.18 and 5.2.20
Spring Boot 2.6.6 and 2.5.12

Workarounds

For those who are unable to upgrade, leaked reports recommend setting disallowedFields on WebDataBinder through an @ControllerAdvice. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets disallowedFields locally through its own @InitBinder method, which overrides the global setting.

To apply the workaround in a more fail-safe way, applications could extend RequestMappingHandlerAdapter to update the WebDataBinder at the end after all other initialization. In order to do that, a Spring Boot application can declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations bean (Spring WebFlux).

Affected Packages

10 total 10 fixed

Ecosystem	Package	Vulnerable range	Fix
☕Maven	`org.springframework:spring-beans`	all versions	5.2.20.RELEASE
☕Maven	`org.springframework:spring-beans`	≥ 5.3.0&&< 5.3.18	5.3.18
☕Maven	`org.springframework:spring-webmvc`	all versions	5.2.20.RELEASE
☕Maven	`org.springframework:spring-webmvc`	≥ 5.3.0&&< 5.3.18	5.3.18
☕Maven	`org.springframework.boot:spring-boot-starter-web`	all versions	2.5.12
☕Maven	`org.springframework.boot:spring-boot-starter-web`	≥ 2.6.0&&< 2.6.6	2.6.6

Exploits & PoCs

106

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.