CVE-2025-22235 is a high-severity vulnerability affecting multiple versions of Spring Boot (2.7.x, 3.1.x, 3.2.x, 3.3.x, 3.4.x) related to improper input validation (CWE-20) in the Spring Security framework's EndpointRequest.to() method. This method is designed to create a matcher for actuator endpoints in Spring Boot applications. The vulnerability arises when EndpointRequest.to() generates a matcher for the path null/** if the referenced actuator endpoint is disabled or not exposed via the web. This behavior can inadvertently expose the /null path if the application handles requests to this path and expects it to be protected. The flaw occurs only under specific conditions: the application must use Spring Security, employ EndpointRequest.to() in its security chain configuration, have the referenced endpoint disabled or not exposed, and handle requests to /null that require protection. If these conditions are met, an attacker could potentially bypass security controls on the /null path, leading to unauthorized access or manipulation. The CVSS v3.1 score of 7.3 reflects a high severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. This vulnerability is particularly relevant for applications that rely on Spring Boot's actuator endpoints for monitoring and management and use Spring Security to protect sensitive paths. Misconfiguration or unawareness of this edge case could lead to security bypasses, especially in complex enterprise environments where actuator endpoints are selectively exposed or disabled.

For European organizations, the impact of CVE-2025-22235 can be significant, especially for those relying heavily on Spring Boot for their web applications and microservices architectures. The vulnerability could allow attackers to bypass security controls on the /null path, potentially gaining unauthorized access to sensitive application functions or data. This could lead to data leakage, unauthorized actions, or service disruption. Given the widespread adoption of Spring Boot in Europe across sectors such as finance, healthcare, government, and telecommunications, exploitation could affect critical infrastructure and sensitive personal data protected under GDPR. The improper input validation flaw undermines the integrity and confidentiality of applications, and the availability could also be impacted if attackers leverage this to disrupt services. The absence of known exploits currently reduces immediate risk, but the ease of exploitation (no authentication or user interaction required) means that once exploit code becomes available, attacks could escalate rapidly. Organizations with complex security configurations that disable or selectively expose actuator endpoints are at higher risk, as they might unknowingly expose the /null path. This vulnerability also poses compliance risks, as breaches resulting from it could lead to regulatory penalties under European data protection laws.

To mitigate CVE-2025-22235 effectively, European organizations should: 1) Audit their Spring Boot applications to identify usage of Spring Security combined with EndpointRequest.to() in security chain configurations. 2) Verify the exposure status of actuator endpoints and ensure that disabled or non-exposed endpoints do not inadvertently create matchers for /null or other unintended paths. 3) Implement explicit security rules to deny or restrict access to the /null path if it is not intended to be accessible. 4) Upgrade Spring Boot to patched versions once available, as no patch links are currently provided but monitoring vendor advisories is critical. 5) Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting /null paths. 6) Conduct thorough security testing, including fuzzing and penetration testing, focusing on actuator endpoints and path matching logic. 7) Educate development and security teams about this vulnerability to avoid misconfigurations in future deployments. 8) Monitor logs and network traffic for anomalous requests to /null or related paths that could indicate exploitation attempts.