CVE-2022-22950 Overview
A Denial of Service vulnerability exists in VMware Spring Framework versions 5.3.0 through 5.3.16 and older unsupported versions. The vulnerability allows an authenticated user to provide a specially crafted Spring Expression Language (SpEL) expression that can cause a denial of service condition, resulting in resource exhaustion and application unavailability.
Critical Impact
Authenticated attackers can craft malicious SpEL expressions to exhaust application resources, causing denial of service conditions that impact application availability.
Affected Products
- VMware Spring Framework versions 5.3.0 through 5.3.16
- Older unsupported Spring Framework versions
Discovery Timeline
- 2022-04-01 - CVE-2022-22950 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-22950
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw resides in the Spring Expression Language (SpEL) parsing and evaluation engine within Spring Framework. When processing user-supplied SpEL expressions, the framework fails to properly limit resource consumption during expression evaluation.
The vulnerability enables authenticated users to submit carefully constructed SpEL expressions that trigger excessive resource allocation. This can lead to CPU exhaustion, memory exhaustion, or both, ultimately rendering the application unresponsive to legitimate requests.
Root Cause
The root cause lies in improper resource allocation controls within the SpEL expression evaluator. The Spring Framework does not enforce adequate limits on the complexity or recursion depth of SpEL expressions, allowing malicious expressions to consume disproportionate computational resources during parsing and evaluation.
Attack Vector
The attack is network-based and requires low-privilege authentication. An attacker with valid application credentials can submit malicious SpEL expressions through any application endpoint that processes user-supplied expressions. The attack does not require user interaction and can be executed remotely.
Exploitation involves crafting SpEL expressions designed to trigger resource-intensive operations such as deeply nested expressions, recursive constructions, or computationally expensive operations that exhaust available CPU cycles or memory allocation.
Detection Methods for CVE-2022-22950
Indicators of Compromise
- Unusual CPU or memory spikes correlated with SpEL expression processing
- Application logs showing SpEL evaluation errors or timeouts
- Repeated requests from authenticated users containing complex or nested expressions
- Application unresponsiveness or degraded performance during expression evaluation
Detection Strategies
- Monitor application performance metrics for unusual resource consumption patterns during expression processing
- Implement logging for SpEL expression evaluation, flagging expressions exceeding complexity thresholds
- Deploy application performance monitoring (APM) tools to detect anomalous request patterns
- Review authentication logs for accounts submitting suspicious or malformed expressions
Monitoring Recommendations
- Configure alerts for sudden increases in CPU utilization or memory consumption in Spring Framework applications
- Implement request rate limiting for endpoints that accept SpEL expressions
- Enable detailed logging of SpEL expression inputs and evaluation times
- Monitor heap memory usage and garbage collection frequency for signs of resource exhaustion
How to Mitigate CVE-2022-22950
Immediate Actions Required
- Upgrade Spring Framework to version 5.3.17 or later immediately
- Review application endpoints that accept user-supplied SpEL expressions
- Implement input validation to restrict SpEL expression complexity
- Consider temporarily disabling SpEL expression processing if not critical to application functionality
Patch Information
VMware has released security patches addressing this vulnerability. Organizations should upgrade to Spring Framework version 5.3.17 or later to remediate this issue. For detailed patch information and upgrade guidance, refer to the VMware Security Advisory CVE-2022-22950.
Workarounds
- Implement application-level input validation to reject overly complex SpEL expressions before evaluation
- Configure resource limits (CPU and memory) at the container or JVM level to prevent complete system exhaustion
- Apply web application firewall (WAF) rules to filter requests containing suspicious SpEL syntax patterns
- Restrict SpEL expression functionality to only necessary features using SimpleEvaluationContext instead of StandardEvaluationContext
# JVM memory and resource configuration example
java -Xmx512m -Xms256m \
-XX:MaxMetaspaceSize=128m \
-XX:+UseG1GC \
-jar your-spring-application.jar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
