CVE-2021-22053

HIGH EXPLOITED IN THE WILD NUCLEI

Spring Cloud Netflix Hystrix Dashboard - Remote Code Execution via Request URI Path SpringEL Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-22053 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including SecCoder-Security-Lab, Vulnmachines. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional PoC for CVE-2021-22053, demonstrating a SpringEL injection vulnerability in Spring Cloud Netflix Hystrix Dashboard. The exploit leverages path-based template resolution to execute arbitrary code via crafted URI paths.

Description

Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.

Exploits (2)

nomisec WORKING POC 37 stars
by SecCoder-Security-Lab · poc
https://github.com/SecCoder-Security-Lab/spring-cloud-netflix-hystrix-dashboard-cve-2021-22053

The repository contains a functional PoC for CVE-2021-22053, demonstrating a SpringEL injection vulnerability in Spring Cloud Netflix Hystrix Dashboard. The exploit leverages path-based template resolution to execute arbitrary code via crafted URI paths.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Spring Cloud Netflix Hystrix Dashboard (2.2.0.RELEASE to 2.2.9.RELEASE)
No auth needed
Prerequisites: Target must use both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` · Network access to the vulnerable endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 1 stars
by Vulnmachines · poc
https://github.com/Vulnmachines/CVE-2021-22053

The repository provides a detailed technical description of CVE-2021-22053, a Spring Cloud Netflix Hystrix Dashboard vulnerability allowing SpringEL injection via URI path manipulation. It includes affected versions, mitigation steps, and references but lacks functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Spring Cloud Netflix Hystrix Dashboard (2.2.0.RELEASE to 2.2.9.RELEASE)
No auth needed
Prerequisites: Target application using spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Spring Cloud Netflix Hystrix Dashboard <2.2.10 - Remote Code Execution
HIGHby forgedhallpass

References (1)

Core 1
Core References
Vendor Advisory x_refsource_misc
https://tanzu.vmware.com/security/cve-2021-22053

Scores

CVSS v3 8.8
EPSS 0.8672
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-05-31
InTheWild.io 2022-05-31
CWE
CWE-94
Status published
Products (2)
org.springframework.cloud/spring-cloud-netflix-hystrix-dashboard 0 - 2.2.10.RELEASEMaven
vmware/spring_cloud_netflix 2.2.0 - 2.2.10
Published Nov 19, 2021
Tracked Since Feb 18, 2026