Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-amhw-mxxc-auev
Vulnerability ID VCID-amhw-mxxc-auev
Aliases CVE-2025-22235
GHSA-rc42-6c7j-7h5r
Summary EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointRequest.to() has been used in a Spring Security chain configuration * The endpoint which EndpointRequest references is disabled or not exposed via web * Your application handles requests to /null and this path needs protection You are not affected if any of the following is true: * You don't use Spring Security * You don't use EndpointRequest.to() * The endpoint which EndpointRequest.to() refers to is enabled and is exposed * Your application does not handle requests to /null or this path does not need protection
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-20 Improper Input Validation
CWE-862 Missing Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22235.json
epss 0.00181 https://api.first.org/data/v1/epss?cve=CVE-2025-22235
epss 0.00181 https://api.first.org/data/v1/epss?cve=CVE-2025-22235
cvssv3.1 7.3 https://github.com/spring-projects/spring-boot
generic_textual HIGH https://github.com/spring-projects/spring-boot
cvssv3.1 7.3 https://nvd.nist.gov/vuln/detail/CVE-2025-22235
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2025-22235
cvssv3.1 7.3 https://security.netapp.com/advisory/ntap-20250516-0010
generic_textual HIGH https://security.netapp.com/advisory/ntap-20250516-0010
cvssv3.1 7.3 https://spring.io/security/cve-2025-22235
generic_textual HIGH https://spring.io/security/cve-2025-22235
ssvc Track https://spring.io/security/cve-2025-22235
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22235.json
https://api.first.org/data/v1/epss?cve=CVE-2025-22235
https://github.com/spring-projects/spring-boot
https://nvd.nist.gov/vuln/detail/CVE-2025-22235
https://security.netapp.com/advisory/ntap-20250516-0010
2362668 https://bugzilla.redhat.com/show_bug.cgi?id=2362668
cve-2025-22235 https://spring.io/security/cve-2025-22235
GHSA-rc42-6c7j-7h5r https://github.com/advisories/GHSA-rc42-6c7j-7h5r
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-22235.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/spring-projects/spring-boot
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2025-22235
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://security.netapp.com/advisory/ntap-20250516-0010
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://spring.io/security/cve-2025-22235
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-28T16:16:38Z/ Found at https://spring.io/security/cve-2025-22235
Exploit Prediction Scoring System (EPSS)
Percentile 0.39691
EPSS Score 0.00181
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:17:05.583375+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/22xxx/CVE-2025-22235.json 38.6.0