Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: You use Spring Security EndpointRequest.to has been used in a Spri...

ai.driftkit:driftkit-audio-core (>=0.5.0 <=0.8.3), ai.driftkit:driftkit-audio-spring-boot-starter (>=0.5.0 <=0.8.7) +4054 more potentially affected by CVE-2025-22235 via org.springframework.boot:spring-boot (>=3.3.0 <=3.3.10)

org.springframework.boot:spring-boot MAVEN version =3.3.0, =0.5.0, =0.5.0, =0.5.0, =0.5.8, =0.5.0, =0.5.7, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.5.0, =0.5.0, =0.7.9, =0.6.0, =0.6.0, =0.8.7 and more Source cves: CVE-2025-22235 Source advisory: OSV:GHSA-RC42-6C7J-7H5R...

CVE-2025-22235 Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: You use Spring Security EndpointRequest.to has been used in a Spri...

CVE-2025-22235 Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: You use Spring Security EndpointRequest.to has been used in a Spri...

CVE-2025-22235

CVE-2025-22235 : EndpointRequest.to() creates a matcher for /null when the actuator endpoint is disabled or not exposed. IBM advisories confirm this CVE as addressed by IBM Library Support for Spring: upgrade to fixed versions in the remediation table (e.g., IBM Library Support for Spring 6.2.x →...

PT-2025-18049

Name of the Vulnerable Software and Affected Versions Spring Boot version 2.7.x Description The issue arises when EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. An application may be affected if ...

VMware Spring Boot < 2.7.25, 3.0.x < 3.1.16, 3.2.x < 3.2.14, 3.3.x < 3.3.11, 3.4.x < 3.4.5 Matcher Vulnerability - Linux

VMware Spring Boot is prone to a matcher vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:vmware:springboot";...

VMware Spring Boot 安全漏洞

VMware Spring Boot is a set of open source frameworks from VMware, Inc. A security vulnerability exists in VMware Spring Boot that stems from EndpointRequest.to creating a null/ matcher when the endpoint is disabled or unexposed, which could lead to a security constraint bypass...

VMware Spring Boot < 2.7.25, 3.0.x < 3.1.16, 3.2.x < 3.2.14, 3.3.x < 3.3.11, 3.4.x < 3.4.5 Matcher Vulnerability - Windows

VMware Spring Boot is prone to a matcher vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:vmware:springboot";...

spring-boot-admin 注入漏洞

spring-boot-admin is a codecentric open source based on Spring boot Mybatis open source backend management system , with user management , menu management and role management 3 functions , permission control to the button level . spring-boot-admin version 1.0 there are injection vulnerabilities ,...

ai.langsa:ccaas-starter (>=0.5 <=cloud-0.3), au.csiro.pathling:fhir-server (>=6.4.0 <=7.1.0) +4643 more potentially affected by CVE-2025-22235 via org.springframework.boot:spring-boot-actuator-autoconfigure (>=2.7.0 <=3.3.10)

org.springframework.boot:spring-boot-actuator-autoconfigure MAVEN version =2.7.0, =0.5, =6.4.0, =1.1.0, =2.3.0, =1.1.0, =1.1.0, =2.10.0, =1.1.0, =1.1.0, =2.3.0, =1.1.0, =1.1.0, =1.1.0, =2.3.0, =3...

ai.ancf.lmos:arc-runner (=0.114.0), ai.ancf.lmos:lmos-operator (>=0.5.0 <=0.6.0) +1606 more potentially affected by CVE-2025-22235 via org.springframework.boot:spring-boot-actuator-autoconfigure (>=3.4.0 <=3.4.4)

org.springframework.boot:spring-boot-actuator-autoconfigure MAVEN version =3.4.0, =0.5.0, =0.8.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =0.1.0, =1.10.0, =1.10.0, =1.10.0, =1.55.1, =2.3.0 and more Source cves: CVE-2025-22235 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKBOOT-98045...

This Week in Spring - April 22nd, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring , which I'm writing from magnificent Minneapolis, Minnesota, where I'm recording an amazing Frontend Masters course introducing Spring Boot. I love this article introducing Spring AI in JavaPro magazine Want to run an LLM...

My-BBS 安全漏洞

My-BBS is a SpringBoot + Mybatis + Thymeleaf technology implemented BBS forum system by ZHENFENG13 individual developer. A security vulnerability exists in My-BBS version 1.0, which stems from a cross-site request forgery issue...

📄 Spring Boot common-user-management 0.1 Shell Upload

Spring Boot common-user-management version 0.1 suffers from a remote shell upload vulnerability. Exploit Title: Unrestricted File Upload Google Dork: Date: 14/Nov/2024 Exploit Author: d3sca Vendor Homepage: https://github.com/OsamaTaher/Java-springboot-codebase Software Link:...

Spring Boot common-user-management 0.1 - Remote Code Execution (RCE)

Exploit Title: Unrestricted File Upload Google Dork: Date: 14/Nov/2024 Exploit Author: d3sca Vendor Homepage: https://github.com/OsamaTaher/Java-springboot-codebase Software Link: https://github.com/OsamaTaher/Java-springboot-codebase Version: app version 0.1 Tested on: Debian Linux CVE :...

Exploit for CVE-2024-38819

This is a proof-of-concept PoC exploit for CVE-2024-38819, a high-risk path traversal vulnerability in the Spring Framework. The vulnerability allows an attacker to access sensitive files on the server by constructing a malicious HTTP request with a specially crafted path. The PoC code is a simpl...

nimrod SQL注入漏洞

nimrod is a Spring Boot-based enterprise-grade monolithic application rapid development framework for the Java Web platform by the individual developer godcheese. A SQL injection vulnerability exists in nimrod version 0.8, which stems from the fact that incorrect manipulation of the parameter Nam...

nimrod 代码问题漏洞

nimrod is a Spring Boot-based enterprise-grade monolithic application rapid development framework for the Java Web platform by the individual developer godcheese. A code issue vulnerability exists in nimrod version 0.8, which stems from an incorrect operation of the parameter File that can lead t...

This Week in Sprng - April 1st, 2025

Hi, Spring fans! Welcome to another exciting installment of This Week in Spring! It's April Fools day, so be wary of things you read on the internet, but it's also the 11th anniversary of Spring Boot 1.0, which was released this day in 2014! that's not an April Fools. Happy birthday! I'm in...