On March 31st 2022, vulnerabilities were announced in Spring Framework (CVE-2022-22965).
While all currently supported versions of StackState ship with the vulnerable code, StackState does not use any part of the Spring Framework that has currently been reported as vulnerable.
Notably, StackState does not use the Spring Framework for HTTP request handling or dependency injection. In addition to this, Spring is not running in an environment with Apache Tomcat server.
At this time, it is not necessary for our customers to take any mitigation action.
We continue to monitor the vulnerability and will provide further updates if the situation changes.