Safeguard
Tag

spring4shell

Safeguard articles tagged "spring4shell" — guides, analysis, and best practices for software supply chain and application security.

13 articles

Vulnerability Management

Log4Shell and Spring4Shell, years later: why the same bug keeps coming back

CVE-2021-44228 scored a perfect CVSS 10.0 and hit CISA's Known Exploited Vulnerabilities list the day it was published — the root cause hasn't gone away.

Jul 8, 20266 min read
Security Guides

Spring Framework Security Guide (2026)

Spring Framework is the backbone of enterprise Java — and the source of Spring4Shell plus a steady stream of path-traversal and SSRF CVEs. Here is how to run it safely in 2026.

Jul 6, 20266 min read
Vulnerability Analysis

Spring4Shell (CVE-2022-22965) Explained: RCE Through Spring Data Binding

CVE-2022-22965, Spring4Shell, let attackers write a JSP web shell to Spring MVC apps on JDK 9+ by abusing data binding. Here is the ClassLoader trick and the exact conditions required.

Jul 2, 20265 min read
Vulnerability Analysis

Spring4Shell RCE vulnerability explained CVE-2022-22965

CVE-2022-22965 (Spring4Shell) lets attackers achieve unauthenticated RCE on Spring MVC/Tomcat apps. Here's the CVSS/EPSS/KEV data, timeline, and fixes.

May 7, 20267 min read
Vulnerability Analysis

What is Spring4Shell

Spring4Shell (CVE-2022-22965) let attackers gain unauthenticated RCE on Java apps via Spring data binding. Here's the full breakdown and fix.

Feb 10, 20267 min read
Vulnerability Analysis

Spring4Shell Retrospective: What CVE-2022-22965 Actually Cost the Industry

Spring4Shell was hyped as the next Log4Shell and turned out to be neither as broad nor as harmless as the early coverage suggested. A 2026 look back at the real numbers.

Jan 22, 20265 min read
Vulnerability Analysis

Spring4Shell (CVE-2022-22965): root cause and remote code...

Spring4Shell (CVE-2022-22965) let attackers manipulate Java class loaders via Spring data binding to achieve RCE on Tomcat-deployed apps. Root cause, timeline, and fixes.

Jan 22, 20269 min read
Vulnerability Analysis

Spring4Shell RCE in Spring Framework (CVE-2022-22965)

A deep dive into CVE-2022-22965 (Spring4Shell): the critical Spring Framework RCE, its exploitation chain, timeline, and how to remediate it fast.

Jan 18, 20267 min read
Vulnerability Analysis

Spring4Shell (CVE-2022-22965) Deep Dive: RCE via Data Bin...

A technical breakdown of Spring4Shell (CVE-2022-22965): the data-binding RCE, affected Spring/Tomcat configurations, severity, timeline, and how to remediate and detect exposure.

Oct 27, 20257 min read
Vulnerabilities

The Spring Shell Vulnerability: What Happened

Spring4Shell (CVE-2022-22965) let attackers achieve remote code execution through Spring's data-binding mechanism — here's what made it exploitable and what actually needed patching.

Jan 30, 20244 min read
Vulnerability Management

Spring4Shell (CVE-2022-22965) Response Analysis

A 2010-era bypass resurfaced as CVE-2022-22965 on Spring Framework for JDK 9+. Here is how the disclosure, patch, and industry response actually went.

Apr 2, 20226 min read
Vulnerability Analysis

Spring4Shell vs Log4Shell: Comparing Two Java Framework Crises

Both scored 9.8 on CVSS. Both affected millions of Java applications. But Log4Shell and Spring4Shell had fundamentally different blast radii. Here's a direct comparison.

Apr 2, 20226 min read
spring4shell — Safeguard Blog