View all Vulnerabilities

CVE-2022-22979

Denial of Service
Affects
spring-cloud-function
in
Spring
No items found.
Versions
<3.2.6
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Cloud Function is a framework that enables developers to build functional, serverless-style applications using Spring. It provides a Function Catalog that allows functions to be dynamically looked up and invoked at runtime.

A Denial of Service vulnerability (CVE-2022-22979) has been identified in Spring Cloud Function. This issue can allow an attacker to exhaust system resources and make an application unavailable by abusing the framework’s function lookup mechanism.

This vulnerability is associated with CWE-770 Allocation of Resources Without Limits or Throttling, where a system does not properly restrict resource consumption, allowing uncontrolled growth.

Denial of Service occurs when a system becomes unavailable due to resource exhaustion or excessive processing. In this case, improper handling of cached function lookups may allow unbounded resource consumption.

This issue affects multiple versions of Spring Cloud Function.

Details

Module Info

Vulnerability Info

This flaw affects Spring Cloud Function applications that expose or allow interaction with the framework’s function lookup functionality, particularly through the spring-cloud-function-web module.

The vulnerability is caused by a caching issue in the Function Catalog component. In affected versions, repeated lookup requests can create new cache entries without sufficient limits or eviction controls. An attacker who can invoke the lookup functionality can exploit this behavior to grow the cache indefinitely, leading to excessive memory consumption and eventual service disruption. Also, it is possible for an attacker to invoke functions that were not intended to be exposed, since there is no mechanism to mark beans as ineligible for cloud function invocation.

Under these conditions, an attacker may be able to:

• Trigger unbounded growth of the internal function cache
• Exhaust application memory or resources
• Cause the application to become unresponsive or crash

Steps To Reproduce

  1. Use an application with an affected Spring Cloud Function version that includes the spring-cloud-function-web module.
  2. Identify the function lookup endpoint, typically accessible at /functionRoute or through specific routing-expression headers.
  3. Submit high-frequency HTTP requests with crafted function definitions containing delimiter characters (e.g., , or | or |)that bypass existing cache checks.
  4. Observe resource exhaustion (CPU or Memory) leading to a denial-of-service condition where the application becomes unresponsive or crashes.

Mitigation

Only recent versions of Spring Cloud Function are community-supported. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Restrict Access to Lookup Endpoints (such as /functionRoute) to trusted internal networks or authenticated users only.
  • Implement Rate Limiting at the API gateway or application level to prevent high-frequency requests that exploit resource allocation weaknesses.
  • Upgrade affected applications to supported versions of Spring Cloud Function
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Yaniv.Nizry@checkmarx.com
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2022-22979
PROJECT Affected
spring-cloud-function
Versions Affected
<3.2.6
NES Versions Affected
Published date
February 17, 2026
≈ Fix date
June 22, 2022
Fixed in
NES for Spring
Category
Denial of Service
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.