CVE-2025-22235: 
Spring Boot vulnerability analysis and mitigation

CVE-2025-22235 is a security vulnerability in Spring Boot's EndpointRequest.to() functionality, discovered by Janek Bettinger and disclosed on April 24, 2025. The vulnerability affects Spring Boot versions 2.7.0-2.7.24.2, 3.1.0-3.1.15.2, 3.2.0-3.2.13.2, 3.3.0-3.3.10, and 3.4.0-3.4.4, where EndpointRequest.to() incorrectly creates a matcher for null/** when the actuator endpoint is disabled or not exposed (Spring Security, NVD).

The vulnerability occurs when EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. The issue has been assigned a CVSS v3.1 base score of 7.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network accessibility with low attack complexity and no privileges or user interaction required (NVD).

The vulnerability can lead to unauthorized access to the /null/** path in applications that handle requests to /null and require protection for this path. This affects applications that use Spring Security and have implemented EndpointRequest.to() in their Spring Security chain configuration where the referenced endpoint is disabled or not exposed via web (Spring Security).

Users are advised to upgrade to the fixed versions: 2.7.25 (Enterprise Support Only), 3.1.16 (Enterprise Support Only), 3.2.14 (Enterprise Support Only), 3.3.11 (OSS), or 3.4.5 (OSS). If upgrading is not possible, alternative mitigations include ensuring that the endpoint referenced by EndpointRequest.to() is enabled and exposed via web, or ensuring that requests to /null are not handled by the application (Spring Security, Spring Blog).