Mendix will probably also react here but the response from slack from the CISO:
Mendix Runtime doesn't use Spring, Marketplace components might use them, however 'The specific exploit requires the application to run on Tomcat as a WAR deployment.' which isn't used in Mendix Cloud
Regards,
Ronald