CVE-2025-22235

Incorrectly Configured Access Control
Affects
Spring Boot
<2.7.0, >=2.7.0 <2.7.25, >=3.1.0 <3.1.16, >=3.2.0 <3.2.14, >=3.3.0 <3.3.11, >=3.4.0 <3.4.5
in
Spring
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Spring Boot helps developers to create Spring-based applications with minimal configuration. Production-grade features are provided out-of-the-box, such as Spring Boot Actuators. Actuators provide features for managing and monitoring an application using HTTP or JMX endpoints. If Spring Security is added to the application, the actuator endpoints can be secured using Spring Security.

An Incorrectly Configured Access Control vulnerability (CVE-2025-22235) has been identified in spring-boot-actuator-autconfigure from Spring Boot actuator support where the EndpointRequest.to() may create an incorrect Spring Security path matcher (/null/**) if the targeted actuator endpoint is either disabled or not exposed over HTTP. This could unintentionally leave the /null path unprotected if it is handled by the application and expected to be secured.

This issue affects multiple versions of Spring Boot’s spring-boot-actuator-autoconfigure package.

Details

Module Info

Vulnerability Info

Key Conditions for Vulnerability:

  1. You are using Spring Security.
  2. You use EndpointRequest.to() in your Spring Security configuration.
  3. The actuator endpoints passed to EndpointRequest.to() are either disabled or not exposed.
  4. Your application handles requests to /null, and this path should be protected.

Not Vulnerable If:

  1. You do not use Spring Security.
  2. You do not use EndpointRequest.to().
  3. The referenced endpoint is enabled and exposed.
  4. Your application does not handle requests to /null, or the path does not require protection

Credit

Mitigation

Only recent versions of Spring Boot are community-supported. Only the recent community support version will receive updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Boot
  • Change application code to do one of the following:
    • Expose the endpoints referenced by EndpointRequest.to() make sure they’re enabled and accessible via the web
    • Avoid handling requests to /null or ensure that any requests to that path are explicitly secured
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Vulnerability Details
ID
CVE-2025-22235
PROJECT Affected
Spring Boot
Versions Affected
<2.7.0, >=2.7.0 <2.7.25, >=3.1.0 <3.1.16, >=3.2.0 <3.2.14, >=3.3.0 <3.3.11, >=3.4.0 <3.4.5
Published date
April 25, 2025
≈ Fix date
April 24, 2025
Severity
Medium
Category
Incorrectly Configured Access Control
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.