GHSA-rc42-6c7j-7h5r

Source

https://github.com/advisories/GHSA-rc42-6c7j-7h5r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-rc42-6c7j-7h5r/GHSA-rc42-6c7j-7h5r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rc42-6c7j-7h5r

Aliases

CVE-2025-22235

Related

Published

2025-04-28T09:31:53Z

Modified

2025-05-17T01:05:47.005564Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

Details

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Your application may be affected by this if all the following conditions are met:

You use Spring Security
EndpointRequest.to() has been used in a Spring Security chain configuration
The endpoint which EndpointRequest references is disabled or not exposed via web
Your application handles requests to /null and this path needs protection

You are not affected if any of the following is true:

You don't use Spring Security
You don't use EndpointRequest.to()
The endpoint which EndpointRequest.to() refers to is enabled and is exposed
Your application does not handle requests to /null or this path does not need protection

Database specific

{
    "nvd_published_at": "2025-04-28T08:15:15Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-862"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-28T20:59:16Z"
}

References

Affected packages

Maven / org.springframework.boot:spring-boot

Package

Name: org.springframework.boot:spring-boot; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.7.24.2

Affected versions

1.*

1.0.0.RELEASE

1.0.1.RELEASE

1.0.2.RELEASE

1.1.0.RELEASE

1.1.1.RELEASE

1.1.2.RELEASE

1.1.3.RELEASE

1.1.4.RELEASE

1.1.5.RELEASE

1.1.6.RELEASE

1.1.7.RELEASE

1.1.8.RELEASE

1.1.9.RELEASE

1.1.10.RELEASE

1.1.11.RELEASE

1.1.12.RELEASE

1.2.0.RELEASE

1.2.1.RELEASE

1.2.2.RELEASE

1.2.3.RELEASE

1.2.4.RELEASE

1.2.5.RELEASE

1.2.6.RELEASE

1.2.7.RELEASE

1.2.8.RELEASE

1.3.0.RELEASE

1.3.1.RELEASE

1.3.2.RELEASE

1.3.3.RELEASE

1.3.4.RELEASE

1.3.5.RELEASE

1.3.6.RELEASE

1.3.7.RELEASE

1.3.8.RELEASE

1.4.0.RELEASE

1.4.1.RELEASE

1.4.2.RELEASE

1.4.3.RELEASE

1.4.4.RELEASE

1.4.5.RELEASE

1.4.6.RELEASE

1.4.7.RELEASE

1.5.0.RELEASE

1.5.1.RELEASE

1.5.2.RELEASE

1.5.3.RELEASE

1.5.4.RELEASE

1.5.5.RELEASE

1.5.6.RELEASE

1.5.7.RELEASE

1.5.8.RELEASE

1.5.9.RELEASE

1.5.10.RELEASE

1.5.11.RELEASE

1.5.12.RELEASE

1.5.13.RELEASE

1.5.14.RELEASE

1.5.15.RELEASE

1.5.16.RELEASE

1.5.17.RELEASE

1.5.18.RELEASE

1.5.19.RELEASE

1.5.20.RELEASE

1.5.21.RELEASE

1.5.22.RELEASE

2.*

2.0.0.RELEASE

2.0.1.RELEASE

2.0.2.RELEASE

2.0.3.RELEASE

2.0.4.RELEASE

2.0.5.RELEASE

2.0.6.RELEASE

2.0.7.RELEASE

2.0.8.RELEASE

2.0.9.RELEASE

2.1.0.RELEASE

2.1.1.RELEASE

2.1.2.RELEASE

2.1.3.RELEASE

2.1.4.RELEASE

2.1.5.RELEASE

2.1.6.RELEASE

2.1.7.RELEASE

2.1.8.RELEASE

2.1.9.RELEASE

2.1.10.RELEASE

2.1.11.RELEASE

2.1.12.RELEASE

2.1.13.RELEASE

2.1.14.RELEASE

2.1.15.RELEASE

2.1.16.RELEASE

2.1.17.RELEASE

2.1.18.RELEASE

2.2.0.RELEASE

2.2.1.RELEASE

2.2.2.RELEASE

2.2.3.RELEASE

2.2.4.RELEASE

2.2.5.RELEASE

2.2.6.RELEASE

2.2.7.RELEASE

2.2.8.RELEASE

2.2.9.RELEASE

2.2.10.RELEASE

2.2.11.RELEASE

2.2.12.RELEASE

2.2.13.RELEASE

2.3.0.RELEASE

2.3.1.RELEASE

2.3.2.RELEASE

2.3.3.RELEASE

2.3.4.RELEASE

2.3.5.RELEASE

2.3.6.RELEASE

2.3.7.RELEASE

2.3.8.RELEASE

2.3.9.RELEASE

2.3.10.RELEASE

2.3.11.RELEASE

2.3.12.RELEASE

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10

2.4.11

2.4.12

2.4.13

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.5.9

2.5.10

2.5.11

2.5.12

2.5.13

2.5.14

2.5.15

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.11

2.6.12

2.6.13

2.6.14

2.6.15

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

2.7.13

2.7.14

2.7.15

2.7.16

2.7.17

2.7.18

Maven / org.springframework.boot:spring-boot

Package

Name: org.springframework.boot:spring-boot; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Last affected

3.1.15.2

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

Maven / org.springframework.boot:spring-boot

Package

Name: org.springframework.boot:spring-boot; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2.0

Last affected

3.2.13.2

Affected versions

3.*

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.2.10

3.2.11

3.2.12

Maven / org.springframework.boot:spring-boot

Package

Name: org.springframework.boot:spring-boot; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0

Fixed

3.3.11

Affected versions

3.*

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.3.10

Database specific

{
    "last_known_affected_version_range": "<= 3.3.10"
}

Maven / org.springframework.boot:spring-boot

Package

Name: org.springframework.boot:spring-boot; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.boot/spring-boot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.4.0

Fixed

3.4.5

Affected versions

3.*

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

Database specific

{
    "last_known_affected_version_range": "<= 3.4.4"
}