CVE-2025-22235

Name of the Vulnerable Software and Affected Versions Spring Boot version 2.7.x

Description The issue arises when EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. An application may be affected if it uses Spring Security, EndpointRequest.to() has been used in a Spring Security chain configuration, the referenced endpoint is disabled or not exposed via web, and the application handles requests to /null, which needs protection.

Recommendations For Spring Boot version 2.7.x, consider disabling the EndpointRequest.to() function until a patch is available. Restrict access to the vulnerable endpoint to minimize the risk of exploitation. Avoid using the /null path in the affected API endpoint until the issue is resolved.

Note: At the moment, there is no information about a newer version that contains a fix for this vulnerability.