Critical Spring Cloud Gateway Vulnerabilities CVE-2022-22946 and CVE-2022-22947: Description, Impact, and Mitigation

Spring Cloud Gateway, a component of Spring Cloud built on Spring 5.0, Spring Boot 2.0 and Project Reactor, provides API routing for micro‑service architectures. On March 1, 2022, VMware released security advisories for two critical CVEs affecting this gateway.

Vulnerability 1: Remote Code Execution (CVE‑2022‑22947)

The vulnerability allows an attacker to execute arbitrary SpEL expressions via the exposed /actuator/gateway endpoint, leading to remote code execution and system compromise.

Pre‑conditions for exploitation

The application uses Spring Cloud Gateway together with Spring Boot Actuator exposing the /actuator/ endpoints.

The gateway actuator endpoint is enabled (e.g., management.endpoint.gateway.enabled=true and management.endpoints.web.exposure.include=gateway ).

Affected versions

Spring Cloud Gateway 3.1.x < 3.1.1

Spring Cloud Gateway 3.0.x < 3.0.7

All older, unsupported releases

Mitigation

Upgrade to Spring Cloud Gateway 3.1.1 or 3.0.7.

Alternatively, disable the gateway actuator endpoint by setting management.endpoint.gateway.enabled=false in application.properties .

Vulnerability 2: Insecure TrustManager in HTTP/2 (CVE‑2022‑22946)

When HTTP/2 is enabled without proper keystore or trusted certificates, the gateway uses an insecure TrustManager, allowing connections to remote services with invalid or custom certificates.

Affected version

Spring Cloud Gateway 3.1.0.

Mitigation

Upgrade to Spring Cloud Gateway 3.1.1 or later, which contains the security fix.

References

https://tanzu.vmware.com/security/cve-2022-22946

https://tanzu.vmware.com/security/cve-2022-22947

For further details and source code snippets, see the original article.