CVE-2022-22980

Exploitation Summary

EIP tracks 8 public exploits for CVE-2022-22980. PoCs published by trganda, kuron3k0, li8u99.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2022-22980, demonstrating SpEL injection in Spring Data MongoDB. The exploit leverages a malicious query to execute arbitrary code (e.g., launching 'calc') via the `findByFirstName` method.

Description

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

Exploits (8)

nomisec WORKING POC 32 stars

by trganda · poc

https://github.com/trganda/CVE-2022-22980

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2022-22980, demonstrating SpEL injection in Spring Data MongoDB. The exploit leverages a malicious query to execute arbitrary code (e.g., launching 'calc') via the `findByFirstName` method.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Spring Data MongoDB (versions affected by CVE-2022-22980)

No auth needed

Prerequisites: MongoDB installed locally · Spring Boot application with vulnerable Spring Data MongoDB dependency

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 14 stars

by kuron3k0 · poc

https://github.com/kuron3k0/Spring-Data-Mongodb-Example

View Code ZIP pw:eip

This repository provides a working proof-of-concept for CVE-2022-22980, a SpEL injection vulnerability in Spring Data MongoDB. The exploit demonstrates remote code execution by injecting a malicious SpEL expression into the 'id' parameter, which is then evaluated by the application.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Spring Data MongoDB (versions affected by CVE-2022-22980)

No auth needed

Prerequisites: Access to the vulnerable endpoint · Spring Data MongoDB with vulnerable SpEL evaluation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 11 stars

by li8u99 · poc

https://github.com/li8u99/Spring-Data-Mongodb-Demo

View Code ZIP pw:eip

This repository provides a Spring Boot application demonstrating CVE-2022-22980, a SpEL injection vulnerability in Spring Data MongoDB. The `UserRepository` uses a vulnerable `@Query` annotation with SpEL expression, allowing arbitrary code execution when exploited via the `/test` endpoint.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Spring Data MongoDB (versions before 3.4.0, 3.3.3)

No auth needed

Prerequisites: Exposed `/test` endpoint · Spring Data MongoDB with vulnerable query annotation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 10 stars

by jweny · poc

https://github.com/jweny/cve-2022-22980

View Code ZIP pw:eip

This repository contains a working PoC for CVE-2022-22980, a SpEL injection vulnerability in Spring Data MongoDB. The exploit demonstrates remote code execution via a crafted HTTP request to the `/v1/user/get` endpoint.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Spring Data MongoDB (versions affected by CVE-2022-22980)

No auth needed

Prerequisites: A vulnerable Spring Data MongoDB application with an exposed endpoint using SpEL expressions

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 7 stars

by Vulnmachines · poc

https://github.com/Vulnmachines/Spring_cve-2022-22980

View Code ZIP pw:eip

This repository provides a description and video PoC for CVE-2022-22980, a SpEL injection vulnerability in Spring Data MongoDB. The vulnerability allows remote code execution when using @Query or @Aggregation-annotated methods with unsanitized input.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Spring Data MongoDB (versions with @Query or @Aggregation annotations)

No auth needed

Prerequisites: Application using Spring Data MongoDB with vulnerable @Query or @Aggregation annotations · Unsanitized user input in SpEL expressions

MITRE ATT&CK

T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 5 stars

by JAckLosingHeart · javapoc

https://github.com/JAckLosingHeart/CVE-PoC-Collection/tree/main/spring-CVE-2022-22980

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2022-22980, demonstrating SpEL injection in Spring Data MongoDB. The exploit leverages a vulnerable `@Query` annotation to execute arbitrary code via SpEL expressions, as shown in the `findByFirstName` method.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Spring Data MongoDB (versions affected by CVE-2022-22980)

No auth needed

Prerequisites: Spring Data MongoDB with vulnerable `@Query` annotations · Ability to send crafted input to the vulnerable endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WRITEUP 5 stars

by murataydemir · poc

https://github.com/murataydemir/CVE-2022-22980

View Code ZIP pw:eip

This repository contains a detailed writeup about CVE-2022-22980, a SpEL Expression Injection vulnerability in Spring Data MongoDB. It explains the vulnerability, affected versions, mitigation strategies, and patch analysis without providing exploit code.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Spring Data MongoDB 3.4.0, 3.3.0 to 3.3.4, and older versions

No auth needed

Prerequisites: Application using Spring Data MongoDB with @Query or @Aggregation annotations · Unsanitized user input in SpEL expressions

MITRE ATT&CK

T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Eliasdekiniweek · poc

https://github.com/Eliasdekiniweek/CVE-2022-22980

View Code ZIP pw:eip

This repository contains a functional Python-based exploit for CVE-2022-22980, a SpEL injection vulnerability in Spring Data. The exploit sends a crafted payload to a vulnerable endpoint, executes arbitrary commands via Runtime.getRuntime().exec(), and exfiltrates the output via HTTP.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Spring Data (versions affected by CVE-2022-22980)

No auth needed

Prerequisites: Python 3.x · curl · wget on target · network access to target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Mitigation, Vendor Advisory x_refsource_misc

https://tanzu.vmware.com/security/cve-2022-22980

Spring Data MongoDB - Code Injection

Exploitation Summary

Description

Exploits (8)

References (1)

Scores

Details