CVE-2025-22235 Overview
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
- You use Spring Security
- EndpointRequest.to() has been used in a Spring Security chain configuration
- The endpoint which EndpointRequest references is disabled or not exposed via web
- Your application handles requests to /null and this path needs protection
Critical Impact
Applications using Spring Security may unintentionally expose sensitive URI paths to unauthorized access when specific endpoints are disabled or not exposed, leading to potential security leaks.
Affected Products
- Spring Security configurations utilizing EndpointRequest.to()
- Not Available
- Not Available
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to Not Available
- Not Available - CVE CVE-2025-22235 assigned
- Not Available - Not Available releases security patch
- 2025-04-28 - CVE CVE-2025-22235 published to NVD
- 2025-05-16 - Last updated in NVD database
Technical Details for CVE-2025-22235
Vulnerability Analysis
This vulnerability arises when EndpointRequest.to() in Spring Security configurations matches paths to null/** when disabling or not exposing certain actuator endpoints. Such configurations can erroneously allow access to endpoints intended to be protected, potentially leading to data leaks and unauthorized actions.
Root Cause
The issue stems from improper handling of disabled or unexposed endpoints within the Spring EndpointRequest.to() method, causing unintended matches to occur.
Attack Vector
Network-based attackers can exploit this by crafting requests to /null/**, potentially gaining unauthorized access to sensitive parts of an application if the misconfiguration exists.
// Example exploitation code (sanitized)
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
public class ExploitExample {
public void exploitEndpoint() {
AntPathRequestMatcher matcher = new AntPathRequestMatcher("/null/**");
// Code to attempt unauthorized access
}
}
Detection Methods for CVE-2025-22235
Indicators of Compromise
- Unauthorized requests to /null URI paths
- Unexpected access logs revealing sensitive endpoint exposure
- Unusual activity indicative of endpoint probing
Detection Strategies
Automate detection by monitoring access logs for requests targeting /null/** paths, especially in systems where EndpointRequest.to() is in use. Anomaly detection systems should be configured to alert on pattern deviations in protected endpoint access.
Monitoring Recommendations
Implement log analysis to capture access attempts to /null and configure alerts for any detected access patterns indicative of exploitation or probing.
How to Mitigate CVE-2025-22235
Immediate Actions Required
- Review all Spring Security configurations to ensure EndpointRequest.to() does not inadvertently match null/**
- Enhance endpoint validation checks
- Apply principle of least privilege to sensitive endpoints
Patch Information
Monitor for official patches from Spring and apply them immediately upon release to mitigate this vulnerability.
Workarounds
Implement strict URI access controls and validate security configurations to prevent unintended endpoint exposure.
# Configuration example
# Ensure proper exposure controls in Spring Security configurations
# Disable unwanted actuator endpoints
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
