https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15, I have found this commit on spring github, can anyone confirm that this commit is the fix for the spring4shell vulnerability released few days ago?

Regards,

reference: https://github.com/SAP/project-kb/blob/vulnerability-data/statements/CVE-2022-22965/statement.yaml

CodePudding user response：

Yes, this commit indeed fixes Spring4Shell vulnerability. It blocks deserialization of request parameters which do not start with name or end with Name, which is essential for exploitation as it uses request parameters starting with class.. Vulnerability analysis can be found here, for example.