Will It Vibe logoWill It Vibe?
SCA-009Critical severity-25 points

Spring4Shell -- spring-core/spring-beans RCE (Maven/Gradle)

Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.

What it detects

Flags a pom.xml/build.gradle dependency on spring-core or spring-beans below 5.3.18, the class-loader property-binding remote-code-execution vulnerability (CVE-2022-22965).

Why it matters

Spring4Shell (CVE-2022-22965) lets an attacker bind a crafted HTTP request parameter through Spring MVC's data-binding into the application's class loader, ultimately writing a file the server will execute -- remote code execution, most reliably reachable on Spring MVC apps deployed as a WAR on Tomcat under JDK 9+. spring-core and spring-beans before 5.3.18 are affected; this is one of the highest-impact Java vulnerabilities in recent years precisely because Spring is the default web framework for a huge share of enterprise Java. This check is a small, hand-picked list of known, historically-significant incidents, not a live CVE feed -- for continuous CVE monitoring, run a dedicated SCA tool (npm audit, pip-audit, OWASP Dependency-Check, Snyk, or similar) against your resolved dependency tree.

How to fix it

Upgrade spring-core and spring-beans to 5.3.18+ (or the 5.2.20+ patch on the older 5.2.x line if you are pinned there). Spring Boot users should upgrade to a Boot version that pulls in a patched Spring Framework rather than overriding the Spring version alone.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Dependencies & Hygiene checks