CVE-2022-22947

What is Spring Cloud Gateway?

Spring Cloud Gateway is a widely-used API gateway built on Spring Boot and Spring WebFlux, providing routing, load balancing, rate limiting, and request transformation for microservice architectures. It is a standard component in Spring-based cloud-native deployments, commonly running in Kubernetes and other container orchestration platforms. The Spring Actuator endpoint exposes management and monitoring APIs — powerful functionality that is often inadvertently left accessible.

Overview

CVE-2022-22947 is a pre-authentication remote code execution vulnerability in Spring Cloud Gateway arising from Spring Expression Language (SpEL) injection via the Actuator endpoint. When the Gateway Actuator endpoint is enabled, exposed, and not secured behind authentication, an attacker can craft a malicious gateway route definition using a SpEL expression that evaluates to arbitrary Java code execution on the server. CVSS 10.0 (Critical). Public proof-of-concept exploits appeared on GitHub within 24 hours of the advisory, and mass scanning was observed almost immediately. CISA added it to the KEV catalog in May 2022.

Affected Versions

Technical Details

Spring Cloud Gateway exposes a Spring Boot Actuator HTTP endpoint (/actuator/gateway/routes) that allows runtime configuration of routes. Routes can include predicates and filters expressed as SpEL (Spring Expression Language) expressions. SpEL is a powerful expression language capable of accessing arbitrary Java objects and executing methods.

The flaw: when creating or updating gateway routes through the Actuator API, Spring Cloud Gateway evaluates SpEL expressions in route definitions without sufficient restriction. An attacker can inject a SpEL expression that executes OS commands:

POST /actuator/gateway/routes/evil
{
  "predicates": [{"name": "Path", "args": {"pattern": "/evil"}}],
  "filters": [{
    "name": "AddResponseHeader",
    "args": {"name": "Result", 
             "value": "#{T(java.lang.Runtime).getRuntime().exec('id')}"}
  }]
}

A subsequent POST /actuator/gateway/refresh triggers route refresh and SpEL evaluation, executing the payload.

Prerequisites: The Actuator endpoint must be enabled (default in some configurations) and exposed without authentication. Spring Boot Actuator endpoints are often inadvertently exposed — especially in development/staging environments promoted to production, or when operators enable "all" Actuator endpoints without restricting access.

Discovery

The vulnerability was discovered by VMware's internal security team and responsibly disclosed through the standard Spring/VMware security process. The patch was coordinated with the Spring Framework team for simultaneous release.

Exploitation Context

Spring Cloud Gateway is deployed extensively in microservices architectures running in Kubernetes, AWS, GCP, and Azure. The combination of widespread deployment, easy-to-use PoC exploits, and common misconfiguration (exposed Actuator endpoints) made this vulnerability extremely dangerous.

Mass automated scanning targeting the Actuator endpoints began within hours of the PoC publication. Threat actors leveraged this for cryptomining, botnet recruitment, and initial access in larger attacks. The vulnerability is part of a broader pattern of Spring Actuator endpoint exploitation — CVE-2022-22963 (Spring Cloud Function) and CVE-2022-22965 (Spring4Shell) were disclosed around the same time, creating a period of intense Spring ecosystem targeting.

Remediation

1. Upgrade Spring Cloud Gateway: Update to 3.1.1 or 3.0.7. This removes the SpEL injection vector.
2. Secure or disable Actuator endpoints: If upgrading is not immediately possible, restrict access to the Gateway Actuator endpoint:
   • Add Spring Security authentication to Actuator endpoints
   • Or disable the routes Actuator endpoint: spring.cloud.gateway.actuator.verbose.enabled=false
3. Network-level controls: Ensure Actuator endpoints (typically /actuator/**) are not accessible from the public internet — restrict via ingress rules or API gateway policies.
4. Audit Actuator exposure: Review all Spring Boot applications for unintentionally exposed Actuator endpoints.
5. Monitor for unauthorized route creation: After patching, review gateway route configurations for any unauthorized additions created during the exposure window.