Spring Framework 5.3.18 corrects several issues, including CVE-2022-22965. Spring Boot for NiFi Registry should also be upgraded to 2.6.6.
The Spring Framework announcement lists the criteria for exploiting the vulnerability. Based on the current summary, NiFi and NiFi Registry do not appear to be impacted as both applications use Jetty instead of Apache Tomcat, and use JAX-RS with Jersey instead of Spring WebMVC or Spring Webflux for defining REST resources.
Upgrading these dependencies mitigates potential issues.