/
DirectorySecurity Advisories
Sign In
Security Advisories

CVE-2025-22235

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-22235

CGA ID

CGA-5qrg-rqx9-wqjf

Severity

Unknown

Summary

Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

Description

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Your application may be affected by this if all the following conditions are met:

  • You use Spring Security
  • EndpointRequest.to() has been used in a Spring Security chain configuration
  • The endpoint which EndpointRequest references is disabled or not exposed via web
  • Your application handles requests to /null and this path needs protection

You are not affected if any of the following is true:

  • You don't use Spring Security
  • You don't use EndpointRequest.to()
  • The endpoint which EndpointRequest.to() refers to is enabled and is exposed
  • Your application does not handle requests to /null or this path does not need protection

References

  • https://images.chainguard.dev/security/CGA-5qrg-rqx9-wqjf
  • https://github.com/advisories/GHSA-rc42-6c7j-7h5r
  • https://nvd.nist.gov/vuln/detail/CVE-2025-22235
  • https://github.com/spring-projects/spring-boot
  • https://spring.io/security/cve-2025-22235

Affected packages

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Products

Chainguard ContainersChainguard LibrariesChainguard VMs

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsPricingContact UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogEventsTrust CenterDocumentation