CVE-2025-22235
Description
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
- You use Spring Security
- EndpointRequest.to() has been used in a Spring Security chain configuration
- The endpoint which EndpointRequest references is disabled or not exposed via web
- Your application handles requests to /null and this path needs protection
You are not affected if any of the following is true:
- You don't use Spring Security
- You don't use EndpointRequest.to()
- The endpoint which EndpointRequest.to() refers to is enabled and is exposed
- Your application does not handle requests to /null or this path does not need protection
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Boot's EndpointRequest.to() incorrectly creates a matcher for /null/** when the referenced actuator endpoint is disabled, potentially bypassing security for that path.
Vulnerability
Overview
CVE-2025-22235 is a logic error in Spring Boot's EndpointRequest.to() method. When the actuator endpoint referenced in the call is disabled or not exposed via web, the method incorrectly generates a security matcher for null/** instead of the intended endpoint path [1][2]. This occurs because the code fails to handle the case where the endpoint is not available, leading to a fallback that produces a malformed matcher.
Exploitation
Conditions
Exploitation requires a specific set of conditions: the application must use Spring Security, EndpointRequest.to() must be used in a security filter chain, the referenced actuator endpoint must be disabled or not exposed, and the application must handle requests to the /null path that require protection [1][2]. An attacker who can send requests to /null may bypass the intended security controls if those requests are not properly secured.
Impact
If all conditions are met, an attacker could gain unauthorized access to resources mapped under /null, potentially leading to information disclosure or other impacts. The CVSS v3 base score of 7.3 (High) reflects the potential for confidentiality, integrity, and availability impacts with low attack complexity and no privileges required [1].
Mitigation
Users should upgrade to the fixed versions: Spring Boot 2.7.25, 3.1.16, 3.2.14, 3.3.11, or 3.4.5, depending on the affected branch [2]. If upgrading is not immediately possible, ensure the actuator endpoint referenced by EndpointRequest.to() is enabled and exposed, or avoid handling requests to /null in the application [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.boot:spring-bootMaven | <= 2.7.24.2 | — |
org.springframework.boot:spring-bootMaven | >= 3.1.0, <= 3.1.15.2 | — |
org.springframework.boot:spring-bootMaven | >= 3.2.0, <= 3.2.13.2 | — |
org.springframework.boot:spring-bootMaven | >= 3.3.0, < 3.3.11 | 3.3.11 |
org.springframework.boot:spring-bootMaven | >= 3.4.0, < 3.4.5 | 3.4.5 |
Affected products
1- Range: >= 3.4.0, <= 3.4.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.