All Vulnerability Reports

CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability




Spring by VMware


Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

Affected VMware Products and Versions

Severity is critical unless otherwise noted.

  • Spring Cloud Gateway
    • 3.1.0
    • 3.0.0 to 3.0.6
    • Older, unsupported versions are also affected


Users of affected versions should apply the following remediation. 3.1.x users should upgrade to 3.1.1+. 3.0.x users should upgrade to 3.0.7+. If the Gateway actuator endpoint is not needed it should be disabled via management.endpoint.gateway.enabled: false. If the actuator is required it should be secured using Spring Security, see Releases that have fixed this issue include:

  • Spring Cloud Gateway
    • 3.1.1+
    • 3.0.7+


This vulnerability was discovered and responsibly reported by Wyatt Dahlenburg.



2022-03-01: Initial vulnerability report published.