Bug 2362668 (CVE-2025-22235) - CVE-2025-22235 org.springframework.boot/spring-boot: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed
Summary: CVE-2025-22235 org.springframework.boot/spring-boot: Spring Boot EndpointRequ...
Keywords:
Status: NEW
Alias: CVE-2025-22235
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2368852
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-28 08:01 UTC by OSIDB Bzimport
Modified: 2025-06-12 20:11 UTC (History)
67 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-04-28 08:01:15 UTC 
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Your application may be affected by this if all the following conditions are met:

  *  You use Spring Security
  *  EndpointRequest.to() has been used in a Spring Security chain configuration
  *  The endpoint which EndpointRequest references is disabled or not exposed via web
  *  Your application handles requests to /null and this path needs protection


You are not affected if any of the following is true:

  *  You don't use Spring Security
  *  You don't use EndpointRequest.to()
  *  The endpoint which EndpointRequest.to() refers to is enabled and is exposed
  *  Your application does not handle requests to /null or this path does not need protection
Note You need to log in before you can comment on or make changes to this bug.