Bug 2358900 (CVE-2025-22232)

Summary: CVE-2025-22232 spring-cloud-config-server: Spring Cloud Config Server May Not Use Vault Token Sent By Clients
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, ataylor, bbaranow, bmaxwell, brian.stansberry, cdewolf, darran.lofthouse, dkreling, dosoudil, fjuma, istudens, ivassile, iweiss, lgao, mosmerov, msochure, msvehla, nwallace, pesilva, pjindal, pmackay, rstancel, smaestri, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Spring Cloud Config Server. This vulnerability allows an attacker to bypass Vault token validation via the X-CONFIG-TOKEN header. If a malicious client sends a different Vault token in the X-CONFIG-TOKEN header, the Spring Cloud Config Server may continue using the first token it retrieved, instead of the one sent by the client. This can result in unauthorized access to sensitive data from Vault.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-04-10 18:01:11 UTC 
Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault.
Your application may be affected by this if the following are true:
  *  You have Spring Vault on the classpath of your Spring Cloud Config Server and
  *  You are using the X-CONFIG-TOKEN header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and
  *  You are using the default Spring Vault SessionManager implementation LifecycleAwareSessionManager or a SessionManager implementation that persists the Vault token such as SimpleSessionManager.

In this case the SessionManager persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN header with a different value.
Affected Spring Products and Versions
Spring Cloud Config:
  *  2.2.1.RELEASE - 4.2.1


Mitigation
Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)Fix versionAvailability4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Commercial3.1.x3.1.10Commercial3.0.x4.1.6OSS2.2.x4.1.6OSS
NOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version.

No other mitigation steps are necessary.