Launch Week Day 1: Announcing Security Design Review
Start for Free
HIGH 7.3 Maven

Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

GHSA-rc42-6c7j-7h5r · CVE-2025-22235

Published · Modified

Description

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Your application may be affected by this if all the following conditions are met:

  • You use Spring Security
  • EndpointRequest.to() has been used in a Spring Security chain configuration
  • The endpoint which EndpointRequest references is disabled or not exposed via web
  • Your application handles requests to /null and this path needs protection

You are not affected if any of the following is true:

  • You don't use Spring Security
  • You don't use EndpointRequest.to()
  • The endpoint which EndpointRequest.to() refers to is enabled and is exposed
  • Your application does not handle requests to /null or this path does not need protection

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes