logo_clicknbuy.png

CVE-2025-22235 – Spring Security Endpoint Request Denial of Service (DoS)

The following table lists the changes that have been made to the
CVE-2025-22235 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by [email protected]

    Apr. 28, 2025

    Action Type Old Value New Value
    Added Description EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

    Your application may be affected by this if all the following conditions are met:

    * You use Spring Security
    * EndpointRequest.to() has been used in a Spring Security chain configuration
    * The endpoint which EndpointRequest references is disabled or not exposed via web
    * Your application handles requests to /null and this path needs protection

    You are not affected if any of the following is true:

    * You don’t use Spring Security
    * You don’t use EndpointRequest.to()
    * The endpoint which EndpointRequest.to() refers to is enabled and is exposed
    * Your application does not handle requests to /null or this path does not need protection
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    Added CWE CWE-20
    Added Reference https://spring.io/security/cve-2025-22235
Share the Post:

Related Posts