GHSA-rc42-6c7j-7h5r

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Your application may be affected by this if all the following conditions are met:

You use Spring Security
EndpointRequest.to() has been used in a Spring Security chain configuration
The endpoint which EndpointRequest references is disabled or not exposed via web
Your application handles requests to /null and this path needs protection

You are not affected if any of the following is true:

You don't use Spring Security
You don't use EndpointRequest.to()
The endpoint which EndpointRequest.to() refers to is enabled and is exposed
Your application does not handle requests to /null or this path does not need protection

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-28T20:59:16Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-862"
    ],
    "nvd_published_at": "2025-04-28T08:15:15Z",
    "severity": "HIGH"
}

References

Affected packages

Maven

org.springframework.boot:spring-boot

Package

Name: org.springframework.boot:spring-boot; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.7.24.2

Affected versions

1.*

1.0.0.RELEASE

1.0.1.RELEASE

1.0.2.RELEASE

1.1.0.RELEASE

1.1.1.RELEASE

1.1.2.RELEASE

1.1.3.RELEASE

1.1.4.RELEASE

1.1.5.RELEASE

1.1.6.RELEASE

1.1.7.RELEASE

1.1.8.RELEASE

1.1.9.RELEASE

1.1.10.RELEASE

1.1.11.RELEASE

1.1.12.RELEASE

1.2.0.RELEASE

1.2.1.RELEASE

1.2.2.RELEASE

1.2.3.RELEASE

1.2.4.RELEASE

1.2.5.RELEASE

1.2.6.RELEASE

1.2.7.RELEASE

1.2.8.RELEASE

1.3.0.RELEASE

1.3.1.RELEASE

1.3.2.RELEASE

1.3.3.RELEASE

1.3.4.RELEASE

1.3.5.RELEASE

1.3.6.RELEASE

1.3.7.RELEASE

1.3.8.RELEASE

1.4.0.RELEASE

1.4.1.RELEASE

1.4.2.RELEASE

1.4.3.RELEASE

1.4.4.RELEASE

1.4.5.RELEASE

1.4.6.RELEASE

1.4.7.RELEASE

1.5.0.RELEASE

1.5.1.RELEASE

1.5.2.RELEASE

1.5.3.RELEASE

1.5.4.RELEASE

1.5.5.RELEASE

1.5.6.RELEASE

1.5.7.RELEASE

1.5.8.RELEASE

1.5.9.RELEASE

1.5.10.RELEASE

1.5.11.RELEASE

1.5.12.RELEASE

1.5.13.RELEASE

1.5.14.RELEASE

1.5.15.RELEASE

1.5.16.RELEASE

1.5.17.RELEASE

1.5.18.RELEASE

1.5.19.RELEASE

1.5.20.RELEASE

1.5.21.RELEASE

1.5.22.RELEASE

2.*

2.0.0.RELEASE

2.0.1.RELEASE

2.0.2.RELEASE

2.0.3.RELEASE

2.0.4.RELEASE

2.0.5.RELEASE

2.0.6.RELEASE

2.0.7.RELEASE

2.0.8.RELEASE

2.0.9.RELEASE

2.1.0.RELEASE

2.1.1.RELEASE

2.1.2.RELEASE

2.1.3.RELEASE

2.1.4.RELEASE

2.1.5.RELEASE

2.1.6.RELEASE

2.1.7.RELEASE

2.1.8.RELEASE

2.1.9.RELEASE

2.1.10.RELEASE

2.1.11.RELEASE

2.1.12.RELEASE

2.1.13.RELEASE

2.1.14.RELEASE

2.1.15.RELEASE

2.1.16.RELEASE

2.1.17.RELEASE

2.1.18.RELEASE

2.2.0.RELEASE

2.2.1.RELEASE

2.2.2.RELEASE

2.2.3.RELEASE

2.2.4.RELEASE

2.2.5.RELEASE

2.2.6.RELEASE

2.2.7.RELEASE

2.2.8.RELEASE

2.2.9.RELEASE

2.2.10.RELEASE

2.2.11.RELEASE

2.2.12.RELEASE

2.2.13.RELEASE

2.3.0.RELEASE

2.3.1.RELEASE

2.3.2.RELEASE

2.3.3.RELEASE

2.3.4.RELEASE

2.3.5.RELEASE

2.3.6.RELEASE

2.3.7.RELEASE

2.3.8.RELEASE

2.3.9.RELEASE

2.3.10.RELEASE

2.3.11.RELEASE

2.3.12.RELEASE

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10

2.4.11

2.4.12

2.4.13

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.5.9

2.5.10

2.5.11

2.5.12

2.5.13

2.5.14

2.5.15

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.11

2.6.12

2.6.13

2.6.14

2.6.15

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

2.7.13

2.7.14

2.7.15

2.7.16

2.7.17

2.7.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-rc42-6c7j-7h5r/GHSA-rc42-6c7j-7h5r.json"

org.springframework.boot:spring-boot

Package

Name: org.springframework.boot:spring-boot; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Last affected

3.1.15.2

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-rc42-6c7j-7h5r/GHSA-rc42-6c7j-7h5r.json"

org.springframework.boot:spring-boot

Package

Name: org.springframework.boot:spring-boot; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2.0

Last affected

3.2.13.2

Affected versions

3.*

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.2.10

3.2.11

3.2.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-rc42-6c7j-7h5r/GHSA-rc42-6c7j-7h5r.json"

org.springframework.boot:spring-boot

Package

Name: org.springframework.boot:spring-boot; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0

Fixed

3.3.11

Affected versions

3.*

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.3.10

Database specific

last_known_affected_version_range

"<= 3.3.10"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-rc42-6c7j-7h5r/GHSA-rc42-6c7j-7h5r.json"

org.springframework.boot:spring-boot

Package

Name: org.springframework.boot:spring-boot; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.4.0

Fixed

3.4.5

Affected versions

3.*

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

Database specific

last_known_affected_version_range

"<= 3.4.4"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-rc42-6c7j-7h5r/GHSA-rc42-6c7j-7h5r.json"