{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22235", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2025-01-02T04:30:06.832Z", "datePublished": "2025-04-28T07:10:35.370Z", "dateUpdated": "2025-05-16T23:03:06.227Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Spring Boot", "vendor": "Spring", "versions": [{"lessThan": "2.7.25", "status": "affected", "version": "2.7.x", "versionType": "Enterprise Support Only"}, {"lessThan": "3.1.16", "status": "affected", "version": "3.1.x", "versionType": "Enterprise Support Only"}, {"lessThan": "3.2.14", "status": "affected", "version": "3.2.x", "versionType": "Enterprise Support Only"}, {"lessThan": "3.3.11", "status": "affected", "version": "3.3.x", "versionType": "OSS"}, {"lessThan": "3.4.5", "status": "affected", "version": "3.4.x", "versionType": "OSS"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p><code>EndpointRequest.to()</code>&nbsp;creates a matcher for <code>null/**</code>&nbsp;if the actuator endpoint, for which the <code>EndpointRequest</code>&nbsp;has been created, is disabled or not exposed.</p><p>Your application may be affected by this if all the following conditions are met:</p><ul><li>You use Spring Security</li><li><code>EndpointRequest.to()</code>&nbsp;has been used in a Spring Security chain configuration</li><li>The endpoint which <code>EndpointRequest</code>&nbsp;references is disabled or not exposed via web</li><li>Your application handles requests to <code>/null</code>&nbsp;and this path needs protection</li></ul><p>You are not affected if any of the following is true:</p><ul><li>You don't use Spring Security</li><li>You don't use <code>EndpointRequest.to()</code></li><li>The endpoint which <code>EndpointRequest.to()</code>&nbsp;refers to is enabled and is exposed</li><li>Your application does not handle requests to <code>/null</code>&nbsp;or this path does not need protection</li></ul><br>"}], "value": "EndpointRequest.to()\u00a0creates a matcher for null/**\u00a0if the actuator endpoint, for which the EndpointRequest\u00a0has been created, is disabled or not exposed.\n\nYour application may be affected by this if all the following conditions are met:\n\n * You use Spring Security\n * EndpointRequest.to()\u00a0has been used in a Spring Security chain configuration\n * The endpoint which EndpointRequest\u00a0references is disabled or not exposed via web\n * Your application handles requests to /null\u00a0and this path needs protection\n\n\nYou are not affected if any of the following is true:\n\n * You don't use Spring Security\n * You don't use EndpointRequest.to()\n * The endpoint which EndpointRequest.to()\u00a0refers to is enabled and is exposed\n * Your application does not handle requests to /null\u00a0or this path does not need protection"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2025-04-28T07:10:35.370Z"}, "references": [{"url": "https://spring.io/security/cve-2025-22235"}], "source": {"discovery": "UNKNOWN"}, "title": "Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-28T16:16:38.622106Z", "id": "CVE-2025-22235", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-28T16:18:23.559Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250516-0010/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-05-16T23:03:06.227Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250516-0010/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-05-16T23:03:06.227Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-22235", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-28T16:16:38.622106Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-28T16:18:14.845Z"}}], "cna": {"title": "Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Boot", "versions": [{"status": "affected", "version": "2.7.x", "lessThan": "2.7.25", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "3.1.x", "lessThan": "3.1.16", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "3.2.x", "lessThan": "3.2.14", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "3.3.x", "lessThan": "3.3.11", "versionType": "OSS"}, {"status": "affected", "version": "3.4.x", "lessThan": "3.4.5", "versionType": "OSS"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2025-22235"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "EndpointRequest.to()\u00a0creates a matcher for null/**\u00a0if the actuator endpoint, for which the EndpointRequest\u00a0has been created, is disabled or not exposed.\n\nYour application may be affected by this if all the following conditions are met:\n\n * You use Spring Security\n * EndpointRequest.to()\u00a0has been used in a Spring Security chain configuration\n * The endpoint which EndpointRequest\u00a0references is disabled or not exposed via web\n * Your application handles requests to /null\u00a0and this path needs protection\n\n\nYou are not affected if any of the following is true:\n\n * You don't use Spring Security\n * You don't use EndpointRequest.to()\n * The endpoint which EndpointRequest.to()\u00a0refers to is enabled and is exposed\n * Your application does not handle requests to /null\u00a0or this path does not need protection", "supportingMedia": [{"type": "text/html", "value": "<p><code>EndpointRequest.to()</code>&nbsp;creates a matcher for <code>null/**</code>&nbsp;if the actuator endpoint, for which the <code>EndpointRequest</code>&nbsp;has been created, is disabled or not exposed.</p><p>Your application may be affected by this if all the following conditions are met:</p><ul><li>You use Spring Security</li><li><code>EndpointRequest.to()</code>&nbsp;has been used in a Spring Security chain configuration</li><li>The endpoint which <code>EndpointRequest</code>&nbsp;references is disabled or not exposed via web</li><li>Your application handles requests to <code>/null</code>&nbsp;and this path needs protection</li></ul><p>You are not affected if any of the following is true:</p><ul><li>You don't use Spring Security</li><li>You don't use <code>EndpointRequest.to()</code></li><li>The endpoint which <code>EndpointRequest.to()</code>&nbsp;refers to is enabled and is exposed</li><li>Your application does not handle requests to <code>/null</code>&nbsp;or this path does not need protection</li></ul><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2025-04-28T07:10:35.370Z"}}}, "cveMetadata": {"cveId": "CVE-2025-22235", "state": "PUBLISHED", "dateUpdated": "2025-05-16T23:03:06.227Z", "dateReserved": "2025-01-02T04:30:06.832Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2025-04-28T07:10:35.370Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "EndpointRequest.to()\u00a0creates a matcher for null/**\u00a0if the actuator endpoint, for which the EndpointRequest\u00a0has been created, is disabled or not exposed.\n\nYour application may be affected by this if all the following conditions are met:\n\n * You use Spring Security\n * EndpointRequest.to()\u00a0has been used in a Spring Security chain configuration\n * The endpoint which EndpointRequest\u00a0references is disabled or not exposed via web\n * Your application handles requests to /null\u00a0and this path needs protection\n\n\nYou are not affected if any of the following is true:\n\n * You don't use Spring Security\n * You don't use EndpointRequest.to()\n * The endpoint which EndpointRequest.to()\u00a0refers to is enabled and is exposed\n * Your application does not handle requests to /null\u00a0or this path does not need protection"}, {"lang": "es", "value": "EndpointRequest.to() crea un comparador para null/** si el endpoint del actuador, para el que se cre\u00f3 EndpointRequest, est\u00e1 deshabilitado o no est\u00e1 expuesto. Su aplicaci\u00f3n puede verse afectada si se cumplen todas las siguientes condiciones: * Utiliza Spring Security * EndpointRequest.to() se ha utilizado en una configuraci\u00f3n de cadena de Spring Security * El punto final al que EndpointRequest hace referencia est\u00e1 deshabilitado o no est\u00e1 expuesto a trav\u00e9s de la web * Su aplicaci\u00f3n gestiona solicitudes a /null y esta ruta necesita protecci\u00f3n no se ver\u00e1 afectado si se cumple alguna de las siguientes condiciones: * No utiliza Spring Security * No utiliza EndpointRequest.to() * El endpoint al que EndpointRequest.to() hace referencia est\u00e1 habilitado y est\u00e1 expuesto * Su aplicaci\u00f3n no gestiona solicitudes a /null o esta ruta no necesita protecci\u00f3n"}], "id": "CVE-2025-22235", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2025-04-28T08:15:15.273", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2025-22235"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250516-0010/"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"bugzilla": {"description": "org.springframework.boot/spring-boot: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed", "id": "2362668", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362668"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-20", "details": ["EndpointRequest.to()\u00a0creates a matcher for null/**\u00a0if the actuator endpoint, for which the EndpointRequest\u00a0has been created, is disabled or not exposed.\nYour application may be affected by this if all the following conditions are met:\n* You use Spring Security\n* EndpointRequest.to()\u00a0has been used in a Spring Security chain configuration\n* The endpoint which EndpointRequest\u00a0references is disabled or not exposed via web\n* Your application handles requests to /null\u00a0and this path needs protection\nYou are not affected if any of the following is true:\n* You don't use Spring Security\n* You don't use EndpointRequest.to()\n* The endpoint which EndpointRequest.to()\u00a0refers to is enabled and is exposed\n* Your application does not handle requests to /null\u00a0or this path does not need protection", "A flaw was found in the Spring Boot configuration. This vulnerability allows unauthorised access to the /null/** path via misconfigured security matchers when referencing disabled or non-exposed Spring Boot actuator endpoints."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-22235", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "spring-boot", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "spring-boot", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "package_name": "spring-boot", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "spring-boot", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "spring-boot", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "spring-boot", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "spring-boot", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "spring-boot", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "spring-boot", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "spring-boot", "product_name": "streams for Apache Kafka"}], "public_date": "2025-04-28T07:10:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22235\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22235\nhttps://github.com/advisories/GHSA-rc42-6c7j-7h5r\nhttps://spring.io/security/cve-2025-22235"], "statement": "Your application may be affected by this if all the following conditions are met:\n- You use Spring Security\n- EndpointRequest.to() has been used in a Spring Security chain configuration\n- The endpoint which EndpointRequest references is disabled or not exposed via web\n- Your application handles requests to /null and this path needs protection\nYou are not affected if any of the following is true:\n- You don't use Spring Security\n- You don't use EndpointRequest.to()\n- The endpoint which EndpointRequest.to() refers to is enabled and is exposed\n- Your application does not handle requests to /null or this path does not need protection", "threat_severity": "Important"}

{}