CVE-2024-22271 Overview
CVE-2024-22271 is a denial-of-service vulnerability in the Spring Cloud Function framework. The flaw affects applications using the Spring Cloud Function Web module when composing functions with non-existing functions. Attackers can submit crafted requests over the network without authentication to trigger the condition.
The affected versions are Spring Cloud Function Framework 4.1.0 to 4.1.2 and 4.0.0 to 4.0.8. The weakness is classified under CWE-20: Improper Input Validation. Successful exploitation degrades service availability and may expose limited confidential data through the error handling paths.
Critical Impact
Unauthenticated, network-based attackers can trigger denial-of-service conditions in Spring Cloud Function Web applications by requesting function compositions that reference non-existing functions.
Affected Products
- Spring Cloud Function Framework 4.1.0 through 4.1.2
- Spring Cloud Function Framework 4.0.0 through 4.0.8
- Applications using the Spring Cloud Function Web module
Discovery Timeline
- 2024-07-09 - CVE-2024-22271 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-22271
Vulnerability Analysis
The vulnerability resides in the function composition logic of Spring Cloud Function. The framework permits clients to compose multiple functions through HTTP routing paths exposed by the Web module. When the composition request references a function name that does not exist, the framework fails to validate the input correctly before processing.
This improper input validation causes excessive resource consumption during request handling. Repeated requests amplify the impact and degrade availability for legitimate users of the application.
The attack requires no authentication and no user interaction. The Spring Security Advisory documents the vulnerable code paths and the upstream fix in versions 4.1.2 and 4.0.8.
Root Cause
The root cause is improper input validation [CWE-20] in the function composition resolver. The resolver accepts arbitrary function identifiers from the HTTP layer without verifying that each component of the composition exists in the application context. Processing a composition that references missing functions triggers expensive error handling paths.
Attack Vector
An attacker sends HTTP requests to the Spring Cloud Function Web endpoint. The request URI contains a composition expression that joins valid and non-existing function names. The framework attempts to resolve the chain, consuming resources without producing a stable error response. Repeated requests sustain the denial-of-service condition.
No verified public proof-of-concept code is available for this issue. See the Spring Security Advisory CVE-2024-22271 for technical details and the related Checkmarx analysis of the earlier CVE-2022-22979 referenced by the advisory.
Detection Methods for CVE-2024-22271
Indicators of Compromise
- Repeated HTTP requests to Spring Cloud Function endpoints containing comma-separated or pipe-separated function names in the URI path
- Spring application logs showing repeated function resolution failures or FunctionInvocationWrapper errors
- Sustained spikes in JVM CPU and heap usage on hosts running the Spring Cloud Function Web module
Detection Strategies
- Inspect HTTP access logs for unusual URI paths that combine multiple function identifiers, especially when responses indicate server errors or timeouts
- Correlate web tier 5xx error rates with backend JVM resource saturation on services running Spring Cloud Function
- Compare deployed Spring Cloud Function versions against the fixed versions 4.1.2 and 4.0.8 during build and runtime inventory scans
Monitoring Recommendations
- Enable application performance monitoring for Spring Cloud Function endpoints with alerts on sustained high latency or thread pool exhaustion
- Track request rate and error rate per function path through a web application firewall or reverse proxy
- Forward application logs and JVM metrics to a centralized analytics platform for cross-correlation
How to Mitigate CVE-2024-22271
Immediate Actions Required
- Upgrade Spring Cloud Function Framework to version 4.1.2 or later for the 4.1.x branch
- Upgrade Spring Cloud Function Framework to version 4.0.8 or later for the 4.0.x branch
- Inventory all applications that include the spring-cloud-function-web module and prioritize internet-exposed services
- Apply rate limiting to Spring Cloud Function HTTP endpoints at the reverse proxy or API gateway layer
Patch Information
VMware published fixes in Spring Cloud Function Framework versions 4.1.2 and 4.0.8. Update the dependency declaration in Maven or Gradle build files to a fixed version and redeploy affected services. Full remediation details are available in the Spring Security Advisory CVE-2024-22271.
Workarounds
- Restrict access to Spring Cloud Function Web endpoints to trusted networks until patching completes
- Disable the Spring Cloud Function Web module if HTTP-based function invocation is not required
- Deploy WAF rules that reject requests containing comma-separated function composition paths to unknown function names
# Maven dependency update example
mvn versions:use-dep-version \
-Dincludes=org.springframework.cloud:spring-cloud-function-web \
-DdepVersion=4.1.2 \
-DforceVersion=true
# Gradle dependency pin example
# build.gradle
# implementation 'org.springframework.cloud:spring-cloud-function-web:4.1.2'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
