In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0.RELEASE - 5.2.19.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Affected Packages

Maven org.springframework:spring-expression

Affected versions: 5.3.0 (fixed in 5.3.17)

Maven org.springframework:spring-expression

Affected versions: 0 (fixed in 5.2.20.RELEASE)

Related CVEs

CVE-2022-22950

Key Information

GHSA ID

GHSA-558x-2xjg-6232

Published

April 3, 2022 12:01 AM

Last Modified

March 28, 2023 10:26 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.springframework:spring-expression

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 20, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.