Miggo Logo
Miggo Vulnerability Database
CVE-2025-22235

CVE-2025-22235:
Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

7.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-22235
GHSA ID
GHSA-rc42-6c7j-7h5r
EPSS Score
0.24992%
CWE
CWE-20
Published
4/28/2025
Updated
4/28/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.springframework.boot:spring-bootmaven<= 2.7.24.2
org.springframework.boot:spring-bootmaven>= 3.1.0, <= 3.1.15.2
org.springframework.boot:spring-bootmaven>= 3.2.0, <= 3.2.13.2
org.springframework.boot:spring-bootmaven>= 3.3.0, <= 3.3.103.3.11
org.springframework.boot:spring-bootmaven>= 3.4.0, <= 3.4.43.4.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability, as described, occurs when EndpointRequest.to() is used for an actuator endpoint that is disabled or not exposed, leading to a matcher for null/**. The provided commit 55f67c9a522647039fd3294dee5cb83f4888160a patches the EndpointRequest.java files for both servlet and reactive stacks.

The core issue was that PathMappedEndpoints.getPath(endpointId) could return null for unexposed endpoints. This null value was then processed by the streamPaths method within the inner EndpointRequestMatcher class. Before the patch, streamPaths did not filter out these null paths.

These null paths were then used by the createDelegate methods (one in the servlet version, one in the reactive version of EndpointRequestMatcher) to construct matchers.

  • In the servlet version, the null path was passed to RequestMatcherFactory.antPath, which would then treat the null as the string "null" when creating the pattern, resulting in null/**.
  • In the reactive version, the null path was passed to getDelegateMatcher, which would then create a PathPatternParserServerWebExchangeMatcher using path + "/**", effectively becoming "null/**".

The patches address this by:

  1. Modifying streamPaths to explicitly filter out null values returned by pathMappedEndpoints.getPath().
  2. Adding Assert.notNull checks in RequestMatcherFactory.antPath (servlet) and getDelegateMatcher (reactive) to prevent null paths from being processed into matchers.
  3. Modifying the createDelegate methods to return an EMPTY_MATCHER if no valid delegate matchers can be formed (e.g., if all specified endpoints are unexposed and their paths become null and are filtered out).

The createDelegate methods in EndpointRequest$EndpointRequestMatcher for both servlet and reactive stacks are identified as the vulnerable functions because they orchestrate the faulty logic of using these potentially null paths to create the incorrect matchers. They are the highest-level methods within the matcher object (returned by EndpointRequest.to()) where the decision to form matchers based on these paths occurs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n*pointR*qu*st.to() *r**t*s * m*t***r *or null/** i* t** **tu*tor *n*point, *or w*i** t** *n*pointR*qu*st **s ***n *r**t**, is *is**l** or not *xpos**. Your *ppli**tion m*y ** *****t** *y t*is i* *ll t** *ollowin* *on*itions *r* m*t: * You us*

Reasoning

T** vuln*r**ility, *s **s*ri***, o**urs w**n `*n*pointR*qu*st.to()` is us** *or *n **tu*tor *n*point t**t is *is**l** or not *xpos**, l***in* to * m*t***r *or `null/**`. T** provi*** *ommit `****************************************` p*t***s t** `*n*p