GHSA-rc42-6c7j-7h5r: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-22235

Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

High severity GitHub Reviewed Published Apr 28, 2025 to the GitHub Advisory Database • Updated Apr 28, 2025

Package

maven org.springframework.boot:spring-boot (Maven)

Affected versions

<= 2.7.24.2

>= 3.1.0, <= 3.1.15.2

>= 3.2.0, <= 3.2.13.2

>= 3.3.0, <= 3.3.10

>= 3.4.0, <= 3.4.4

Patched versions

3.3.11

3.4.5

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Your application may be affected by this if all the following conditions are met:

• You use Spring Security
• EndpointRequest.to() has been used in a Spring Security chain configuration
• The endpoint which EndpointRequest references is disabled or not exposed via web
• Your application handles requests to /null and this path needs protection

You are not affected if any of the following is true:

• You don’t use Spring Security
• You don’t use EndpointRequest.to()
• The endpoint which EndpointRequest.to() refers to is enabled and is exposed
• Your application does not handle requests to /null or this path does not need protection

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-22235
• https://spring.io/security/cve-2025-22235

Published to the GitHub Advisory Database

Apr 28, 2025

Last updated

Apr 28, 2025