High severity7.3GHSA Advisory· Published Apr 28, 2025· Updated Jun 17, 2026
CVE-2025-22235
CVE-2025-22235
Description
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
- You use Spring Security
- EndpointRequest.to() has been used in a Spring Security chain configuration
- The endpoint which EndpointRequest references is disabled or not exposed via web
- Your application handles requests to /null and this path needs protection
You are not affected if any of the following is true:
- You don't use Spring Security
- You don't use EndpointRequest.to()
- The endpoint which EndpointRequest.to() refers to is enabled and is exposed
- Your application does not handle requests to /null or this path does not need protection
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.boot:spring-bootMaven | <= 2.7.24.2 | — |
org.springframework.boot:spring-bootMaven | >= 3.1.0, <= 3.1.15.2 | — |
org.springframework.boot:spring-bootMaven | >= 3.2.0, <= 3.2.13.2 | — |
org.springframework.boot:spring-bootMaven | >= 3.3.0, < 3.3.11 | 3.3.11 |
org.springframework.boot:spring-bootMaven | >= 3.4.0, < 3.4.5 | 3.4.5 |
Affected products
10- Range: >= 3.4.0, <= 3.4.4
- osv-coords9 versionspkg:apk/chainguard/camunda-zeebe-8.4pkg:apk/chainguard/camunda-zeebe-8.4-compatpkg:apk/chainguard/camunda-zeebe-8.6pkg:apk/chainguard/camunda-zeebe-8.6-compatpkg:apk/chainguard/keycloak-config-clipkg:apk/chainguard/thingsboardpkg:apk/wolfi/keycloak-config-clipkg:apk/wolfi/thingsboardpkg:maven/org.springframework.boot/spring-boot
< 8.4.18-r1+ 8 more
- (no CPE)range: < 8.4.18-r1
- (no CPE)range: < 8.4.18-r1
- (no CPE)range: < 8.6.13-r2
- (no CPE)range: < 8.6.13-r2
- (no CPE)range: < 6.4.0-r51
- (no CPE)range: < 0
- (no CPE)range: < 6.4.0-r51
- (no CPE)range: < 0
- (no CPE)range: <= 2.7.24.2
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.