CVE-2025-22235

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Your application may be affected by this if all the following conditions are met:

You use Spring Security
EndpointRequest.to() has been used in a Spring Security chain configuration
The endpoint which EndpointRequest references is disabled or not exposed via web
Your application handles requests to /null and this path needs protection

You are not affected if any of the following is true:

You don't use Spring Security
You don't use EndpointRequest.to()
The endpoint which EndpointRequest.to() refers to is enabled and is exposed
Your application does not handle requests to /null or this path does not need protection

Published: Apr 28, 2025
Updated: Jun 30, 2025
CVE: CVE-2025-22235
GHSA: GHSA-rc42-6c7j-7h5r
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWEs:

Affected Software
References

Software	From	Fixed in
org.springframework.boot / spring-boot	-	2.7.24.2.x
org.springframework.boot / spring-boot	3.1.0	3.1.15.2.x
org.springframework.boot / spring-boot	3.2.0	3.2.13.2.x
org.springframework.boot / spring-boot	3.3.0	3.3.11
org.springframework.boot / spring-boot	3.4.0	3.4.5

Vulnerability Database

289,697

CVE-2025-22235