CVE-2025-22235: Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed
Description
EndpointRequest.to()
creates a matcher for null/**
if the actuator endpoint, for which the EndpointRequest
has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
- You use Spring Security
EndpointRequest.to()
has been used in a Spring Security chain configuration- The endpoint which
EndpointRequest
references is disabled or not exposed via web - Your application handles requests to
/null
and this path needs protection …