What is the severity of CVE-2025-22235?

CVE-2025-22235 is classified as a high severity vulnerability due to its potential impact on application security.

How do I fix CVE-2025-22235?

To fix CVE-2025-22235, ensure that your application's actuator endpoints are properly configured and exposed in accordance with security best practices.

What types of applications are affected by CVE-2025-22235?

CVE-2025-22235 affects applications using Spring Security and Spring Boot where actuator endpoints are disabled or not exposed.

What can attackers potentially do with CVE-2025-22235?

Attackers may exploit CVE-2025-22235 to access sensitive information or functionalities exposed by actuator endpoints that are not properly secured.

When was CVE-2025-22235 disclosed?

CVE-2025-22235 was disclosed as part of the ongoing security improvements and audits within the Spring framework.

Vulnerability/
CVE-2025-22235

high

7.3

CWE

20 862

28/4/2025

29/4/2025

CVE-2025-22235: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

First published: Mon Apr 28 2025(Updated: )

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointRequest.to() has been used in a Spring Security chain configuration * The endpoint which EndpointRequest references is disabled or not exposed via web * Your application handles requests to /null and this path needs protection You are not affected if any of the following is true: * You don't use Spring Security * You don't use EndpointRequest.to() * The endpoint which EndpointRequest.to() refers to is enabled and is exposed * Your application does not handle requests to /null or this path does not need protection

Credit: security@vmware.com

Affected Software	Affected Version	How to fix
Spring Security
Spring Boot
maven/org.springframework.boot:spring-boot	>=3.4.0<=3.4.4	3.4.5
maven/org.springframework.boot:spring-boot	>=3.3.0<=3.3.10	3.3.11
maven/org.springframework.boot:spring-boot	>=3.2.0<=3.2.13.2
maven/org.springframework.boot:spring-boot	>=3.1.0<=3.1.15.2
maven/org.springframework.boot:spring-boot	<=2.7.24.2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-22235?
CVE-2025-22235 is classified as a high severity vulnerability due to its potential impact on application security.
How do I fix CVE-2025-22235?
To fix CVE-2025-22235, ensure that your application's actuator endpoints are properly configured and exposed in accordance with security best practices.
What types of applications are affected by CVE-2025-22235?
CVE-2025-22235 affects applications using Spring Security and Spring Boot where actuator endpoints are disabled or not exposed.
What can attackers potentially do with CVE-2025-22235?
Attackers may exploit CVE-2025-22235 to access sensitive information or functionalities exposed by actuator endpoints that are not properly secured.
When was CVE-2025-22235 disclosed?
CVE-2025-22235 was disclosed as part of the ongoing security improvements and audits within the Spring framework.

collector/mitre-cve
source/MITRE
agent/title
agent/description
agent/type
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
collector/nvd-api
source/NVD
agent/author
agent/severity
collector/github-advisory-latest
source/GitHub
alias/GHSA-rc42-6c7j-7h5r
alias/CVE-2025-22235
agent/references
agent/last-modified-date
agent/source
agent/weakness
agent/softwarecombine
agent/tags
agent/event
collector/nvd-cve
vendor/spring
canonical/spring security
canonical/spring boot
package-manager/maven