What is the severity of CVE-2025-22232?

CVE-2025-22232 is rated as a high severity vulnerability due to its potential to expose sensitive information.

How do I fix CVE-2025-22232?

To fix CVE-2025-22232, ensure that the Spring Cloud Config Server is configured properly to utilize the Vault token sent by clients.

Which versions of Spring Cloud Config are affected by CVE-2025-22232?

CVE-2025-22232 affects Spring Cloud Config versions between 2.2.1.RELEASE and 4.2.1.

What is the main issue caused by CVE-2025-22232?

The main issue caused by CVE-2025-22232 is that the Spring Cloud Config Server may not utilize the Vault token sent in the X-CONFIG-TOKEN header.

Does using Spring Vault mitigate the effects of CVE-2025-22232?

Using Spring Vault does not mitigate CVE-2025-22232; proper configuration of the Spring Cloud Config Server is essential.

Vulnerability/
CVE-2025-22232

medium

5.3

CWE

287

10/4/2025

11/4/2025

CVE-2025-22232: Spring Cloud Config Server May Not Use Vault Token Sent By Clients

First published: Thu Apr 10 2025(Updated: )

Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. Your application may be affected by this if the following are true: * You have Spring Vault on the classpath of your Spring Cloud Config Server and * You are using the X-CONFIG-TOKEN header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and * You are using the default Spring Vault SessionManager implementation LifecycleAwareSessionManager or a SessionManager implementation that persists the Vault token such as SimpleSessionManager. In this case the SessionManager persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN header with a different value. Affected Spring Products and Versions Spring Cloud Config: * 2.2.1.RELEASE - 4.2.1 Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Commercial3.1.x3.1.10Commercial3.0.x4.1.6OSS2.2.x4.1.6OSS NOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version. No other mitigation steps are necessary.

Credit: security@vmware.com

Affected Software	Affected Version	How to fix
Spring Cloud Config	>=2.2.1.RELEASE<4.2.1

Never miss a vulnerability like this again

Reference Links

https://spring.io/security/cve-2025-22232

Frequently Asked Questions

What is the severity of CVE-2025-22232?
CVE-2025-22232 is rated as a high severity vulnerability due to its potential to expose sensitive information.
How do I fix CVE-2025-22232?
To fix CVE-2025-22232, ensure that the Spring Cloud Config Server is configured properly to utilize the Vault token sent by clients.
Which versions of Spring Cloud Config are affected by CVE-2025-22232?
CVE-2025-22232 affects Spring Cloud Config versions between 2.2.1.RELEASE and 4.2.1.
What is the main issue caused by CVE-2025-22232?
The main issue caused by CVE-2025-22232 is that the Spring Cloud Config Server may not utilize the Vault token sent in the X-CONFIG-TOKEN header.
Does using Spring Vault mitigate the effects of CVE-2025-22232?
Using Spring Vault does not mitigate CVE-2025-22232; proper configuration of the Spring Cloud Config Server is essential.

collector/mitre-cve
source/MITRE
agent/weakness
agent/references
agent/title
agent/type
agent/first-publish-date
agent/description
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
collector/nvd-api
source/NVD
agent/author
agent/source
agent/last-modified-date
agent/severity
agent/tags
agent/event
vendor/spring
canonical/spring cloud config