Home

Description

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointRequest.to() has been used in a Spring Security chain configuration * The endpoint which EndpointRequest references is disabled or not exposed via web * Your application handles requests to /null and this path needs protection You are not affected if any of the following is true: * You don't use Spring Security * You don't use EndpointRequest.to() * The endpoint which EndpointRequest.to() refers to is enabled and is exposed * Your application does not handle requests to /null or this path does not need protection

PUBLISHED Reserved 2025-01-02 | Published 2025-04-28 | Updated 2025-05-16 | Assigner vmware




HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Problem types

CWE-20 Improper Input Validation

Product status

Default status
unaffected

2.7.x (Enterprise Support Only) before 2.7.25
affected

3.1.x (Enterprise Support Only) before 3.1.16
affected

3.2.x (Enterprise Support Only) before 3.2.14
affected

3.3.x (OSS) before 3.3.11
affected

3.4.x (OSS) before 3.4.5
affected

References

security.netapp.com/advisory/ntap-20250516-0010/

spring.io/security/cve-2025-22235

cve.org (CVE-2025-22235)

nvd.nist.gov (CVE-2025-22235)

Download JSON