Reading Time: .


As far as is currently known, all Spring releases since version 4.3 up to and including the current version 5.3.15 are affected, in each case in conjunction with JDK version 9 or higher. Combinations with older JDK variants, however, are not believed to be vulnerable. A security patch and various workarounds to address the exploit are now available—but have not yet been extensively tested. Cybercriminals are already actively exploiting Spring4Shell for attacks. It is not yet possible to conclusively determine how far-reaching the effects of the exploit are.