CVE-2025-22235 Information
Apr 29, 2025
cve
Description
EndpointRequest.to() creates a matcher for null/ if the actuator endpoint for which the EndpointRequest has been created is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
You use Spring Security
EndpointRequest.to() has been used in a Spring Security chain configuration
The endpoint which EndpointRequest references is disabled or not exposed via web
Your application handles requests to /null and this path needs protection
You are not affected if any of the following is true:
You don't use Spring Security
You don't use EndpointRequest.to()
The endpoint which EndpointRequest.to() refers to is enabled and is exposed
Your application does not handle requests to /null or this path does not need protection
Reference
https://spring.io/security/cve-2025-22235
Share on: