diff --git a/spring/spring4shell/README.md b/spring/spring4shell/README.md
new file mode 100644
index 00000000..a1c451fc
--- /dev/null
+++ b/spring/spring4shell/README.md
@@ -0,0 +1,35 @@
+# Spring4Shell (CVE-2022-22965) Testbed
+
+Sample Spring form using Tomcat as the server. The vulnerability appears to be only exploitable when packaged as a WAR file and served through a servlet container, such as Apache Tomcat.
+
+## Deploy the testbed
+
+### Vulnerable
+The vulnerable test application uses:
+- Spring Boot v2.6.3
+- Spring Core v5.3.15
+
+The application can be deployed using the following command:
+```
+docker compose up
+```
+
+### Safe
+The safe test application uses:
+- Spring Boot v2.7.0
+- Spring Core v5.3.20
+
+The application can be deployed using the following command:
+```
+docker compose -f docker-compose-safe.yml up
+```
+
+## Proof of concept
+The following docker-packaged proof of concept can be used to verify if the application is vulnerable:
+```
+docker run --rm --net=host bobtheshoplifter/spring4shell-poc:latest --url "http://127.0.0.1:8080/spring-form/greeting"
+```
+
+## References
+
+Testbeds and Proof of Concept are from [github.com/BobTheShoplifter/Spring4Shell-POC](https://github.com/BobTheShoplifter/Spring4Shell-POC/).
\ No newline at end of file
diff --git a/spring/spring4shell/app/index.html b/spring/spring4shell/app/index.html
new file mode 100644
index 00000000..fab89bec
--- /dev/null
+++ b/spring/spring4shell/app/index.html
@@ -0,0 +1,2 @@
+<h1>Spring4Shell Testbed</h1>
+<a href="/spring-form/greeting">Vulnerable Form</a>
\ No newline at end of file
diff --git a/spring/spring4shell/app/spring-form-safe.war b/spring/spring4shell/app/spring-form-safe.war
new file mode 100644
index 00000000..bba03b64
Binary files /dev/null and b/spring/spring4shell/app/spring-form-safe.war differ
diff --git a/spring/spring4shell/app/spring-form-vuln.war b/spring/spring4shell/app/spring-form-vuln.war
new file mode 100644
index 00000000..db4ad0fd
Binary files /dev/null and b/spring/spring4shell/app/spring-form-vuln.war differ
diff --git a/spring/spring4shell/docker-compose-safe.yml b/spring/spring4shell/docker-compose-safe.yml
new file mode 100644
index 00000000..d78e79b8
--- /dev/null
+++ b/spring/spring4shell/docker-compose-safe.yml
@@ -0,0 +1,9 @@
+name: spring4shell-testbed-safe
+services:
+  app:
+    image: tomcat:9.0.60-jre11-openjdk-slim-buster
+    ports:
+      - "8080:8080"
+    volumes:
+      - "./app/index.html:/usr/local/tomcat/webapps/ROOT/index.html"
+      - "./app/spring-form-safe.war:/usr/local/tomcat/webapps/spring-form.war"
diff --git a/spring/spring4shell/docker-compose.yml b/spring/spring4shell/docker-compose.yml
new file mode 100644
index 00000000..185d193e
--- /dev/null
+++ b/spring/spring4shell/docker-compose.yml
@@ -0,0 +1,9 @@
+name: spring4shell-testbed-vulnerable
+services:
+  app:
+    image: tomcat:9.0.60-jre11-openjdk-slim-buster
+    ports:
+      - "8080:8080"
+    volumes:
+      - "./app/index.html:/usr/local/tomcat/webapps/ROOT/index.html"
+      - "./app/spring-form-vuln.war:/usr/local/tomcat/webapps/spring-form.war"