Fluid Attacks Database

Description

Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Your application may be affected by this if all the following conditions are met:

You use Spring Security

EndpointRequest.to() has been used in a Spring Security chain configuration

The endpoint which EndpointRequest references is disabled or not exposed via web

Your application handles requests to /null and this path needs protection

You are not affected if any of the following is true:

You don't use Spring Security

You don't use EndpointRequest.to()

The endpoint which EndpointRequest.to() refers to is enabled and is exposed

Your application does not handle requests to /null or this path does not need protection

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.springframework.boot:spring-boot	>=0 <=2.7.24.2 \|\| >=3.1.0 <=3.1.15.2 \|\| >=3.2.0 <=3.2.13.2 \|\| >=3.3.0 <3.3.11 \|\| >=3.4.0 <3.4.5	3.3.11, 3.4.5

Aliases

1. CVE-2025-222352. NVD-2025-222353. OSV-2025-222354. GCVE-2025-22235

References

1. https://security.netapp.com/advisory/ntap-20250516-00102. https://spring.io/security/cve-2025-222353. https://github.com/idealzh/cve-2025-22235-demo

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.