By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2025-22235

Incorrectly Configured Access Control

Affects

Spring Boot

<2.7.0, >=2.7.0 <2.7.25, >=3.1.0 <3.1.16, >=3.2.0 <3.2.14, >=3.3.0 <3.3.11, >=3.4.0 <3.4.5

Spring

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring Boot helps developers to create Spring-based applications with minimal configuration. Production-grade features are provided out-of-the-box, such as Spring Boot Actuators. Actuators provide features for managing and monitoring an application using HTTP or JMX endpoints. If Spring Security is added to the application, the actuator endpoints can be secured using Spring Security.

‍

An Incorrectly Configured Access Control vulnerability (CVE-2025-22235) has been identified in spring-boot-actuator-autconfigure from Spring Boot actuator support where the EndpointRequest.to() may create an incorrect Spring Security path matcher (/null/**) if the targeted actuator endpoint is either disabled or not exposed over HTTP. This could unintentionally leave the /null path unprotected if it is handled by the application and expected to be secured.

‍

This issue affects multiple versions of Spring Boot’s spring-boot-actuator-autoconfigure package.

‍

Details

Module Info

Product: Spring Boot
Affected packages: spring-boot-actuator-autoconfigure
Affected versions: <2.7.0, >=2.7.0 <2.7.25, >=3.1.0 <3.1.16, >=3.2.0 <3.2.14, >=3.3.0 <3.3.11, >=3.4.0 <3.4.5
GitHub repository: https://github.com/spring-projects/spring-boot
Published packages: https://central.sonatype.com/artifact/org.springframework.boot/spring-boot-actuator-autoconfigure
Package manager: Maven
Fixed In: NES for Spring Boot v2.7.25

‍

Vulnerability Info

Key Conditions for Vulnerability:

You are using Spring Security.
You use EndpointRequest.to() in your Spring Security configuration.
The actuator endpoints passed to EndpointRequest.to() are either disabled or not exposed.
Your application handles requests to /null, and this path should be protected.

Not Vulnerable If:

You do not use Spring Security.
You do not use EndpointRequest.to().
The referenced endpoint is enabled and exposed.
Your application does not handle requests to /null, or the path does not require protection

‍

Credit

Janek Bettinger (janek.bettinger@porsche.de)

Mitigation

Only recent versions of Spring Boot are community-supported. Only the recent community support version will receive updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations:

Upgrade affected applications to supported versions of Spring Boot
Change application code to do one of the following:
- Expose the endpoints referenced by EndpointRequest.to() make sure they’re enabled and accessible via the web
- Avoid handling requests to /null or ensure that any requests to that path are explicitly secured
Leverage a commercial support partner like HeroDevs for post-EOL security support.

‍