CVE-2025-22235: Critical Vulnerability in Spring Security's EndpointRequest.to() Leads to Unauthorized Access

A critical vulnerability (CVE-2025-22235) was recently discovered in the widely used Spring Security library, potentially allowing unauthorized access to sensitive information or restricted functionality in affected web applications. This blog post will provide an in-depth analysis of the vulnerability, discuss its implications, and suggest mitigations to help protect your application.

Description

The vulnerability stems from an issue with the EndpointRequest.to() method when used in a Spring Security chain configuration. Specifically, EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed via web.

Impact

Applications affected by this vulnerability may grant unauthorized access to restricted resources if all the following conditions are met:

* The endpoint which EndpointRequest references is disabled or not exposed via web

* Your application handles requests to /null and this path needs protection

Exploit Details

An attacker can potentially exploit this vulnerability to bypass Spring Security's access control mechanism by crafting malicious requests with the /null path. Below is a code snippet demonstrating the vulnerable configuration:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeRequests()
        .requestMatchers(EndpointRequest.to("health")).permitAll()
        .anyRequest().authenticated();
  }

}

In this example, the health actuator endpoint is disabled or not exposed, causing EndpointRequest.to("health") to generate a null/** matcher. Consequently, any requests to /null or paths under it would be granted access, bypassing the intended restrictions.

Original References

Detailed information about this vulnerability can be found in the Spring Security Repository here.

* If you are not using EndpointRequest.to(), no action is needed.

* If the endpoint which EndpointRequest.to() refers to is enabled and is exposed, no action is needed.
* If your application does not handle requests to /null or this path does not need protection, no action is needed.
* In all other cases, consider migrating to the latest version of Spring Security, which contains a fix for this vulnerability.

Conclusion

We hope this blog post has provided useful insights into addressing CVE-2025-22235 in your application. As always, it is essential to keep your application's dependencies up-to-date and regularly assess the security of your overall web application stack to minimize potential risks.

Timeline

Published on: 04/28/2025 08:15:15 UTC
Last modified on: 04/29/2025 13:52:10 UTC