CVE-2022-22963 is a critical code injection vulnerability in Spring Cloud Function. In affected versions, applications that use the framework's routing functionality can evaluate a user-controlled Spring Expression Language (SpEL) routing expression. By supplying a specially crafted expression, an attacker can cause unintended expression evaluation, which can lead to remote code execution and access to local resources. Affected releases include Spring Cloud Function 3.1.6, 3.2.2, and older unsupported versions.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
8 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (3 hidden).
This repository contains a single Python proof-of-concept exploit script, poc.py, for CVE-2022-22963 affecting Spring Cloud Function. The script is standalone and not part of a larger exploit framework. It uses argparse to require two inputs: a target base URL and an arbitrary command to execute on the remote host. It then appends the fixed path /functionRouter to the supplied target and sends a crafted HTTP POST request using the requests library. The exploit works by placing a malicious Spring Expression Language payload in the HTTP header spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("<cmd>"). If the target is vulnerable, the server evaluates this expression and executes the supplied operating system command. The script prints the full target URL, the header payload, and a raw representation of the HTTP request before sending it. It does not implement response parsing, output retrieval, reliability checks, or post-exploitation logic; its purpose is direct command execution only. Repository structure is minimal: one Python file with all logic inline at top level. There are no helper modules, no persistence mechanisms, and no detection-only behavior. Because it accepts an operator-supplied command and delivers real RCE against a known vulnerable endpoint, it is a valid operational exploit PoC rather than a mere scanner.
This repository is a small standalone proof-of-concept for CVE-2022-22963 in Spring Cloud Function. It contains two files: a README describing how to launch a vulnerable Docker container and validate impact, and a Python script (exploit.py) that performs the exploit. The exploit constructs a POST request to the /functionRouter endpoint and places a SpEL payload in the spring.cloud.function.routing-expression header. That payload invokes java.lang.Runtime.getRuntime().exec() with an attacker-supplied command, enabling blind remote code execution. The script uses requests, disables TLS warnings, sets generic HTTP headers, and prints the HTTP status and truncated response body, though the README correctly notes that command output is generally not returned. A notable safety restriction is built into the code: it refuses to target anything except localhost or 127.0.0.1, making it a local demo PoC rather than a broadly weaponized exploit. The repository’s purpose is to demonstrate blind RCE and verify impact through filesystem side effects such as creating files in /tmp inside the vulnerable container.
This repository contains a Python exploit tool for CVE-2022-22963, a remote code execution vulnerability in Spring Cloud Function. The exploit targets the '/functionRouter' HTTP endpoint, leveraging a SpEL (Spring Expression Language) injection via the 'spring.cloud.function.routing-expression' HTTP header. The tool provides three main capabilities: (1) checking if a target is vulnerable, (2) verifying exploitation via DNSLOG (by triggering a DNS request from the target), and (3) executing arbitrary commands, including spawning a reverse shell to a specified IP and port. The code is operational and allows the user to specify the target URL, exploitation mode (dnslog or shell), and relevant parameters via command-line arguments. The README provides clear usage instructions, affected product versions, and legal disclaimers. The exploit is not part of a framework and is implemented as a standalone Python script.
This repository provides a Dockerfile to build and run a vulnerable instance of Spring Cloud Function version 3.1.6, which is susceptible to CVE-2022-22963 (Spring4Shell). The Dockerfile automates the setup by downloading the vulnerable version, building it, and exposing it on port 8080. The README.md includes instructions for running the container and demonstrates an exploit using a crafted HTTP POST request to the /functionRouter endpoint, leveraging the 'spring.cloud.function.routing-expression' header to achieve remote code execution (RCE). The exploit example creates a file (/tmp/test) on the target system, proving code execution. The repository is a proof-of-concept (POC) for demonstrating the vulnerability and does not include weaponized or automated exploitation scripts.
This repository contains a Python exploit for CVE-2022-22963, a remote code execution vulnerability in Spring Cloud Function (<=3.1.6 for 3.1.x and <=3.2.2 for 3.2.x). The exploit works by creating a bash reverse shell script (shell.sh) in the attacker's directory, starting a local HTTP server to serve this script, and then using the vulnerable /functionRouter endpoint on the target to download, set permissions, and execute the shell script on the target system. The exploit leverages the 'spring.cloud.function.routing-expression' header to inject commands. The attacker must have a listener (e.g., netcat) running to receive the reverse shell. The repository consists of two files: a README.md with usage instructions and a single Python script (spring-cloud-rce.py) implementing the exploit logic. The exploit is operational and provides a working reverse shell if the target is vulnerable and accessible.
This repository provides a proof-of-concept (PoC) exploit for CVE-2022-22963, a critical remote code execution (RCE) vulnerability in VMware Spring Cloud Function. The repository contains three files: a YAML template (CVE-2022-22963.yaml) describing the exploit in a format suitable for automated scanners, a README.md with background and usage information, and poc.py, a Python script that automates exploitation. The Python script reads a list of target URLs from a file, appends the /functionRouter path, and sends a specially crafted POST request with a malicious 'spring.cloud.function.routing-expression' header. This header injects a Spring Expression Language (SpEL) payload that executes arbitrary system commands (default: 'whoami') on the target server. If the server responds with a 500 error and an expected error message, the URL is considered vulnerable and is logged to 'vulnerable.txt'. The exploit is operational and can be used to verify and exploit vulnerable Spring Cloud Function deployments accessible over the network.
This repository contains a Python exploit script (exploit.py) targeting CVE-2022-22963, a remote code execution vulnerability in VMware's Spring Cloud Function. The exploit works by sending a specially crafted HTTP POST request to the /functionRouter endpoint of a vulnerable server, injecting a command via the 'spring.cloud.function.routing-expression' header. The script first checks if the target is vulnerable by attempting to create a file (/tmp/pwned) on the server. If the server is found to be vulnerable, the script can then launch a reverse shell payload, which connects back to the attacker's machine on TCP port 4444. The attacker is prompted for their IP address, and the script sets up a netcat listener to receive the shell. The repository consists of three files: a LICENSE, a README.md with usage instructions, and the main exploit script. The exploit is operational and provides a working reverse shell if the target is vulnerable and accessible.
This repository provides a proof-of-concept (POC) exploit for a remote code execution (RCE) vulnerability in Spring Cloud Function (version 3.1.6). The exploit leverages the 'spring.cloud.function.routing-expression' HTTP header to inject a malicious Spring Expression Language (SpEL) payload, allowing arbitrary command execution on the target server. The README.md contains detailed build and exploitation instructions, including example HTTP POST requests to the '/functionRouter' endpoint. Two main POCs are described: one that opens the Calculator app on macOS, and another that triggers a DNS request to a controlled domain for out-of-band verification. The repository does not contain any code files, only documentation and instructions for reproducing the exploit. The main attack vector is network-based, targeting HTTP endpoints exposed by vulnerable Spring Cloud Function deployments.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A separate Spring vulnerability affecting Spring Cloud Connector, mentioned only to distinguish it from Spring4Shell.
A Spring Cloud Function SpEL remote code execution vulnerability mentioned as historical context.
The content explicitly labels CVE-2022-22963 as Spring4Shell, but this appears in tension with later references to CVE-2022-22965. Based on the content alone, it is presented as the vulnerability tied to the detected exploitation attempts.
A critical vulnerability in Spring Cloud Function that allows a specially crafted SpEL routing expression to access local resources.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.