Critical Spring Cloud Gateway Vulnerabilities CVE-2022-22946 and CVE-2022-22947: Description, Impact, and Mitigation

Spring Cloud Gateway, a core component of the Spring Cloud ecosystem, suffered two critical security issues disclosed on March 1, 2022: a remote code execution vulnerability (CVE‑2022‑22947) and an unsafe TrustManager problem in HTTP/2 (CVE‑2022‑22946).

Vulnerability 1 – CVE‑2022‑22947 (Remote Code Execution)

When the gateway Actuator endpoint is exposed, an attacker can send a crafted request that evaluates arbitrary SpEL expressions, leading to remote code execution and full system compromise.

Vulnerability 2 – CVE‑2022‑22946 (Unsafe TrustManager)

Gateway instances configured for HTTP/2 without a proper keystore or trusted certificates use a permissive TrustManager, allowing connections to remote services with invalid or self‑signed certificates.

Affected Versions

Spring Cloud Gateway 3.1.x < 3.1.1

Spring Cloud Gateway 3.0.x < 3.0.7

All older, unsupported releases

Exploitation Preconditions

The application includes Spring Boot Actuator and exposes the /actuator/gateway endpoint.

The management.endpoint.gateway.enabled property is set to true (default) and the endpoint is included in management.endpoints.web.exposure.include .

Example vulnerable configuration:

management.endpoint.gateway.enabled=true
management.endpoints.web.exposure.include=gateway

Mitigation

Upgrade to a patched version: Spring Cloud Gateway 3.1.1 or 3.0.7 (or newer).

If upgrading is not feasible, disable the gateway actuator endpoint by setting management.endpoint.gateway.enabled=false in application.properties .

Disable example:

management.endpoint.gateway.enabled=false

For further details, refer to the official VMware security advisories:

CVE‑2022‑22946

CVE‑2022‑22947