Spring CLI Tool Flaw Allows Command Execution on Devices

A command injection vulnerability has been identified within the Spring CLI VSCode extension, posing a security risk to developers who continue using the outdated tool.

The flaw, tracked as CVE-2026-22718, enables attackers to execute arbitrary commands on affected machines, resulting in a medium-severity impact.

The vulnerability affects Spring CLI VSCode Extension version 0.9.0 and earlier. Despite reaching end-of-life on May 14, 2025, the Spring team disclosed the CVE to ensure proper security communication with users who may still have the extension installed.

The command injection flaw operates locally and requires user interaction to trigger exploitation.

An attacker with local access could manipulate the extension’s input handling to inject malicious commands, ultimately gaining execution privileges on the developer’s machine.

The vulnerability received a CVSS score of 6.3 (Medium), reflecting its local attack vector and user interaction requirement.

However, the potential impact remains significant, as successful exploitation enables attackers to read sensitive files and modify system configurations. Compromise development environments that store source code and credentials.

Affected Versions and Mitigation

All versions of Spring CLI VSCode Extension up to 0.9.0 remain vulnerable. Since the extension officially reached EOL in May 2025, no patches have been released or will be provided.

Developers currently relying on Spring CLI functionality should transition to alternative tools. Use updated Spring development methods that do not depend on the legacy extension.

Organizations and individual developers who have the Spring CLI VSCode extension installed should prioritize removing it. The vulnerability disclosure underscores the importance of deprecating legacy development tools.

Maintaining clear communication about security risks associated with end-of-life software. Continued use of the extension exposes development systems to potential compromise.

The Spring team recommends removing the extension from development environments immediately. Users should uninstall the extension from VS Code’s extension marketplace or manually delete the extension folder.

The issue was responsibly disclosed by security researcher Yue Liu, allowing the Spring team sufficient time to assess and communicate the risk before public disclosure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.