The maintainers of Spring Framework have released an emergency patch to address a newly disclosed remote code execution flaw that, if successfully exploited, could allow an unauthenticated attacker to take control of a targeted system.

Tracked as CVE-2022-22965, the high-severity flaw impacts Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and other older, unsupported versions. Vulnerability has been fixed in Spring Framework versions 5.3.18 and 5.2.20.

More information on vulnerability and updates is available in Spring Framework security advisory – spring.io.