CVE-2025-22235

• Affected product: Spring Boot
• Affected packages: spring-boot-actuator-autconfigure

• Affected versions:
  • 2.7.0 – 2.7.24.2
  • 3.1.0 – 3.1.15.2
  • 3.2.0 – 3.2.13.2
  • 3.3.0 – 3.3.10
  • 3.4.0 – 3.4.4
  • Older, unsupported versions are also affected

• GitHub repository: https://github.com/spring-projects/spring-boot
• Published packages: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-actuator-autoconfigure

Fixed In: ELS for Spring Boot v2.7.18.TuxCare.6

In Spring Boot, the EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Spring Boot  2.7.x is no longer supported by open source community as its End of Life date is 2023-06-30. It simply means that version from that date does not receive any updates to address this issue.

‍Users of the affected components should apply one of the following mitigations:

• Leverage the TuxCare support partner for Endless Lifecycle Support that extends regular community EoL security support and simply just apply our patches.
• Upgrade to the 3.3.11+ open source community version and accept the risk of not getting any further security updates from the community starting from 30th of June’25.
• Alternatively take the effort to upgrade to the latest greatest supported Spring Framework open source versions that are not affected e.g. 3.4.5+ and get community support till end of 2025
• Do not process requests to `/null`. If handling `/null` is necessary, ensure robust security measures are in place.
• Verify that endpoints referenced by `EndpointRequest.to()` are correctly exposed, enabled, and accessible through the web.

Do you need a fix for this vulnerability for any other Spring Boot version, please contact us, we are here to help you!

• https://nvd.nist.gov/vuln/detail/CVE-2025-22235
• https://spring.io/security/cve-2025-22235
• https://github.com/advisories/GHSA-rc42-6c7j-7h5r