Critical Spring Cloud Gateway Vulnerabilities: How to Detect and Patch CVE-2022-22946 & CVE-2022-22947

On March 1, 2022, the Spring team announced two critical CVEs for Spring Cloud Gateway (versions 3.4.x branch): CVE-2022-22946 and CVE-2022-22947.

Vulnerability 1: Remote Code Execution (CVE-2022-22947)

When the Gateway Actuator endpoint is exposed, an attacker can exploit this command‑injection flaw to execute arbitrary SpEL expressions, achieving remote code execution and system‑level privileges.

Impact Conditions

The application uses Spring Cloud Gateway together with Spring Boot Actuator exposing the /actuator/gateway endpoint.

The gateway endpoint is enabled in the configuration (e.g., management.endpoint.gateway.enabled=true and management.endpoints.web.exposure.include=gateway).

Affected Versions

Spring Cloud Gateway 3.1.x < 3.1.1

Spring Cloud Gateway 3.0.x < 3.0.7

All older, unsupported releases

Mitigation

Upgrade to a safe version:

Spring Cloud Gateway 3.1.1

Spring Cloud Gateway 3.0.7

Alternatively, if business impact permits, disable the Gateway actuator endpoint by setting:

management.endpoint.gateway.enabled=false

Vulnerability 2: Insecure TrustManager in HTTP/2 (CVE-2022-22946)

Applications that enable HTTP/2 without configuring a keystore or trusted certificates use an insecure TrustManager, allowing the gateway to accept invalid or custom certificates when connecting to downstream services.

Impact Scope

Spring Cloud Gateway version 3.1.0 is affected.

Mitigation

Upgrade to Spring Cloud Gateway 3.1.1 or later, which contains the security fix.

References

CVE‑2022‑22946 details

CVE‑2022‑22947 details