spring4shell
Safeguard articles tagged "spring4shell" — guides, analysis, and best practices for software supply chain and application security.
13 articles
Log4Shell and Spring4Shell, years later: why the same bug keeps coming back
CVE-2021-44228 scored a perfect CVSS 10.0 and hit CISA's Known Exploited Vulnerabilities list the day it was published — the root cause hasn't gone away.
Spring Framework Security Guide (2026)
Spring Framework is the backbone of enterprise Java — and the source of Spring4Shell plus a steady stream of path-traversal and SSRF CVEs. Here is how to run it safely in 2026.
Spring4Shell (CVE-2022-22965) Explained: RCE Through Spring Data Binding
CVE-2022-22965, Spring4Shell, let attackers write a JSP web shell to Spring MVC apps on JDK 9+ by abusing data binding. Here is the ClassLoader trick and the exact conditions required.
Spring4Shell RCE vulnerability explained CVE-2022-22965
CVE-2022-22965 (Spring4Shell) lets attackers achieve unauthenticated RCE on Spring MVC/Tomcat apps. Here's the CVSS/EPSS/KEV data, timeline, and fixes.
What is Spring4Shell
Spring4Shell (CVE-2022-22965) let attackers gain unauthenticated RCE on Java apps via Spring data binding. Here's the full breakdown and fix.
Spring4Shell Retrospective: What CVE-2022-22965 Actually Cost the Industry
Spring4Shell was hyped as the next Log4Shell and turned out to be neither as broad nor as harmless as the early coverage suggested. A 2026 look back at the real numbers.
Spring4Shell (CVE-2022-22965): root cause and remote code...
Spring4Shell (CVE-2022-22965) let attackers manipulate Java class loaders via Spring data binding to achieve RCE on Tomcat-deployed apps. Root cause, timeline, and fixes.
Spring4Shell RCE in Spring Framework (CVE-2022-22965)
A deep dive into CVE-2022-22965 (Spring4Shell): the critical Spring Framework RCE, its exploitation chain, timeline, and how to remediate it fast.
Spring4Shell (CVE-2022-22965) Deep Dive: RCE via Data Bin...
A technical breakdown of Spring4Shell (CVE-2022-22965): the data-binding RCE, affected Spring/Tomcat configurations, severity, timeline, and how to remediate and detect exposure.
The Spring Shell Vulnerability: What Happened
Spring4Shell (CVE-2022-22965) let attackers achieve remote code execution through Spring's data-binding mechanism — here's what made it exploitable and what actually needed patching.
Spring4Shell (CVE-2022-22965) Response Analysis
A 2010-era bypass resurfaced as CVE-2022-22965 on Spring Framework for JDK 9+. Here is how the disclosure, patch, and industry response actually went.
Spring4Shell vs Log4Shell: Comparing Two Java Framework Crises
Both scored 9.8 on CVSS. Both affected millions of Java applications. But Log4Shell and Spring4Shell had fundamentally different blast radii. Here's a direct comparison.