CVE-2025-22235

Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

Description

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

‍
Your application may be affected by this if all the following conditions are met:

‍
* You use Spring Security
* EndpointRequest.to() has been used in a Spring Security chain configuration
* The endpoint which EndpointRequest references is disabled or not exposed via web
* Your application handles requests to /null and this path needs protection

You are not affected if any of the following is true:

* You don't use Spring Security
* You don't use EndpointRequest.to()
* The endpoint which EndpointRequest.to() refers to is enabled and is exposed
* Your application does not handle requests to /null or this path does not need protection

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

7.3

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Versions

org.springframework.boot:spring-boot >= 3.1.0; org.springframework.boot:spring-boot >= 3.2.0; org.springframework.boot:spring-boot >= 3.3.0 < 3.3.11; org.springframework.boot:spring-boot >= 3.4.0 < 3.4.5

Severity

High

Ecosystem

Java

Publish Date

April 28, 2025

Modified Date

May 16, 2025