Overview
Spring Boot helps developers to create Spring-based applications with minimal configuration. Production-grade features are provided out-of-the-box, such as Spring Boot Actuators. Actuators provide features for managing and monitoring an application using HTTP or JMX endpoints. If Spring Security is added to the application, the actuator endpoints can be secured using Spring Security.
An Incorrectly Configured Access Control vulnerability (CVE-2025-22235) has been identified in spring-boot-actuator-autconfigure from Spring Boot actuator support where the EndpointRequest.to() may create an incorrect Spring Security path matcher (/null/**) if the targeted actuator endpoint is either disabled or not exposed over HTTP. This could unintentionally leave the /null path unprotected if it is handled by the application and expected to be secured.
This issue affects multiple versions of Spring Boot’s spring-boot-actuator-autoconfigure package.
Details
Module Info
- Product: Spring Boot
- Affected packages: spring-boot-actuator-autoconfigure
- Affected versions: <2.7.0, >=2.7.0 <2.7.25, >=3.1.0 <3.1.16, >=3.2.0 <3.2.14, >=3.3.0 <3.3.11, >=3.4.0 <3.4.5
- GitHub repository: https://github.com/spring-projects/spring-boot
- Published packages: https://central.sonatype.com/artifact/org.springframework.boot/spring-boot-actuator-autoconfigure
- Package manager: Maven
- Fixed In: NES for Spring Boot v2.7.25
Vulnerability Info
Key Conditions for Vulnerability:
- You are using Spring Security.
- You use EndpointRequest.to() in your Spring Security configuration.
- The actuator endpoints passed to EndpointRequest.to() are either disabled or not exposed.
- Your application handles requests to /null, and this path should be protected.
Not Vulnerable If:
- You do not use Spring Security.
- You do not use EndpointRequest.to().
- The referenced endpoint is enabled and exposed.
- Your application does not handle requests to /null, or the path does not require protection
Credit
- Janek Bettinger (janek.bettinger@porsche.de)
Mitigation
Only recent versions of Spring Boot are community-supported. Only the recent community support version will receive updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to supported versions of Spring Boot
- Change application code to do one of the following:
- Expose the endpoints referenced by EndpointRequest.to() make sure they’re enabled and accessible via the web
- Avoid handling requests to /null or ensure that any requests to that path are explicitly secured
- Leverage a commercial support partner like HeroDevs for post-EOL security support.