How I Reproduced the Massive Spring RCE Vulnerability (CVE-2022-22965)

Earlier this week I published an article titled "Spring爆出比Log4j2还大的漏洞？" that unexpectedly attracted a large readership. I learned about the vulnerability late at night, started drafting the post around 23:30, and ended up finishing it after midnight while playing a few rounds of online Dou Dizhu.

After publishing, the article went viral, confirming the common "golden rule" for content creators: the most popular pieces are often those written unintentionally.

Back to the point

I managed to reproduce the Spring vulnerability. Late at night I received a link (https://sizeof.cat/post/springcore-rce/) with only four Chinese characters, which led me to the original PDF analysis.

https://sizeof.cat/post/springcore-rce/

The PDF shows that the vulnerability requires the following conditions (all of which match the official Spring advisory):

JDK 9+ is used

Apache Tomcat is the servlet container

The application is packaged as a WAR

spring‑webmvc or spring‑webflux is a dependency

These prerequisites mean many existing Spring applications are potentially vulnerable.

Reproduction steps

The PDF outlines five HTTP requests that, when sent to a vulnerable WAR deployed on Tomcat, cause a JSP file to be written into the out directory. By accessing this JSP, an attacker can execute arbitrary commands, such as launching the calculator.

Below are the key request payloads (illustrated in the PDF images):

After sending the five crafted requests, a JSP file appears in the out folder:

Visiting the generated JSP triggers the payload without any console output, yet normal requests continue to be processed and logged.

The exploit demonstrates how a seemingly harmless parameter binding in Spring can introduce an unexpected class property, which attackers can leverage for remote code execution.

Source and attribution

The original PDF was authored by a security researcher known as p1n93r . The associated GitHub project has since been removed, and the researcher appears to have vanished from public view.

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

For readers interested in the full source code, the author suggests replying with the keyword "漏洞" to the public account to receive it.