CVE-2022-22978

CRITICAL

Spring Security < 5.5.7 - Authorization Bypass via RegexRequestMatcher Misconfiguration

Title source: llm

Exploitation Summary

EIP tracks 8 public exploits for CVE-2022-22978. PoCs published by DeEpinGh0st, ducluongtran9121, aeifkz.

AI-analyzed exploit summary This repository demonstrates CVE-2022-22978, an authentication bypass vulnerability in Spring Security due to improper handling of newline characters in RegexRequestMatcher. The PoC includes a Spring Boot application with a vulnerable configuration and a test case to verify the bypass.

Description

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Exploits (8)

nomisec WORKING POC 16 stars

by DeEpinGh0st · poc

https://github.com/DeEpinGh0st/CVE-2022-22978

View Code ZIP pw:eip

This repository demonstrates CVE-2022-22978, an authentication bypass vulnerability in Spring Security due to improper handling of newline characters in RegexRequestMatcher. The PoC includes a Spring Boot application with a vulnerable configuration and a test case to verify the bypass.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Spring Security 5.5.x < 5.5.7, Spring Security 5.6.x < 5.6.4

No auth needed

Prerequisites: Target application using RegexRequestMatcher with a regex pattern containing a dot (e.g., /admin/.*).

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 12 stars

by ducluongtran9121 · poc

https://github.com/ducluongtran9121/CVE-2022-22978-PoC

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2022-22978, demonstrating an authorization bypass in Spring Security's RegexRequestMatcher due to improper handling of newline characters in regex patterns.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Spring Security versions 5.5.x before 5.5.7, 5.6.x before 5.6.4, and unsupported older versions

No auth needed

Prerequisites: A Spring Security application using RegexRequestMatcher with a regex pattern containing a dot (.)

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 5 stars

by aeifkz · poc

https://github.com/aeifkz/CVE-2022-22978

View Code ZIP pw:eip

This repository demonstrates an authentication bypass vulnerability in Spring Security (CVE-2022-22978) by exploiting path normalization issues. The PoC includes a Spring Boot application with endpoints that can be accessed using newline characters (%0a or %0d) to bypass security restrictions.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Spring Security (versions affected by CVE-2022-22978)

No auth needed

Prerequisites: Access to a vulnerable Spring Security application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by umakant76705 · poc

https://github.com/umakant76705/CVE-2022-22978

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2022-22978, demonstrating an authorization bypass in Spring Security's RegexRequestMatcher. The exploit leverages newline characters (%0a, %0d) to bypass regex-based path authentication.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Spring Security (5.5.x < 5.5.7, 5.6.x < 5.6.4, older unsupported versions)

No auth needed

Prerequisites: Spring Security with vulnerable version · Endpoint protected by regexMatcher

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

gitlab WORKING POC

by cy4n · poc

https://gitlab.com/cy4n/CVE-2022-22978

View Code ZIP pw:eip

This repository demonstrates an authentication bypass vulnerability in Spring Security 5.6.3 via a regex mismatch in path matching. The exploit uses a newline character (%0a) to bypass authentication requirements for endpoints under '/vulnerable/'.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Spring Security 5.6.3

No auth needed

Prerequisites: Spring Security 5.6.3 · Endpoint configured with regexMatchers

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 23, 2026 Full analysis →

nomisec WRITEUP

by he-ewo · poc

https://github.com/he-ewo/CVE-2022-22978

View Code ZIP pw:eip

This repository documents CVE-2022-22978, an authorization bypass vulnerability in Spring Security due to improper handling of newline characters in RegexRequestMatcher. The writeup includes steps to reproduce the issue using encoded newline characters (%0a, %0d) to bypass access controls.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Spring Security 5.5.6, 5.6.3 and earlier

No auth needed

Prerequisites: A vulnerable version of Spring Security · Access to a target endpoint using RegexRequestMatcher

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by wan9xx · poc

https://github.com/wan9xx/CVE-2022-22978-demo

View Code ZIP pw:eip

This repository demonstrates CVE-2022-22978, a Spring Security bypass vulnerability. It includes a Spring Boot application with configured security rules using regexMatchers, which can be bypassed under specific conditions.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Spring Security (versions affected by CVE-2022-22978)

No auth needed

Prerequisites: Spring Security with regexMatchers using '.' to match paths · Specific path configurations vulnerable to bypass

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Raghvendra1207 · poc

https://github.com/Raghvendra1207/CVE-2022-22978

View Code ZIP pw:eip

This repository contains a working proof-of-concept for CVE-2022-22978, an authorization bypass vulnerability in Spring Security's RegexRequestMatcher. The exploit demonstrates how attackers can bypass authentication by injecting newline characters (%0a or %0d) into URLs.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Spring Security versions 5.5.x before 5.5.7, 5.6.x before 5.6.4, and unsupported older versions

No auth needed

Prerequisites: Spring Security with vulnerable version · Application using regexMatchers for path-based authentication

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://spring.io/security/cve-2022-22978

Scores

CVSS v3 9.8

EPSS 0.9022

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-863

Status published

Products (6)

netapp/active_iq_unified_manager (3 CPE variants)

oracle/financial_services_crime_and_compliance_management_studio 8.0.8.2.0

oracle/financial_services_crime_and_compliance_management_studio 8.0.8.3.0

org.springframework.security/spring-security-core 5.5.0 - 5.5.7Maven

org.springframework.security/spring-security-web 5.5.0 - 5.5.7Maven

vmware/spring_security < 5.5.7

Published May 19, 2022

Tracked Since Feb 18, 2026