VYPR
High severity7.3GHSA Advisory· Published Apr 28, 2025· Updated Jun 17, 2026

CVE-2025-22235

CVE-2025-22235

Description

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Your application may be affected by this if all the following conditions are met:

  • You use Spring Security
  • EndpointRequest.to() has been used in a Spring Security chain configuration
  • The endpoint which EndpointRequest references is disabled or not exposed via web
  • Your application handles requests to /null and this path needs protection

You are not affected if any of the following is true:

  • You don't use Spring Security
  • You don't use EndpointRequest.to()
  • The endpoint which EndpointRequest.to() refers to is enabled and is exposed
  • Your application does not handle requests to /null or this path does not need protection

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework.boot:spring-bootMaven
<= 2.7.24.2
org.springframework.boot:spring-bootMaven
>= 3.1.0, <= 3.1.15.2
org.springframework.boot:spring-bootMaven
>= 3.2.0, <= 3.2.13.2
org.springframework.boot:spring-bootMaven
>= 3.3.0, < 3.3.113.3.11
org.springframework.boot:spring-bootMaven
>= 3.4.0, < 3.4.53.4.5

Affected products

10

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.