Listen to this Post
How the CVE Works:
CVE-2025-12345 affects Spring Boot’s `EndpointRequest.to()` method, which incorrectly generates a matcher for `null/` when an actuator endpoint is disabled or not exposed. This misconfiguration allows unauthorized access to restricted endpoints if specific conditions are met. The vulnerability arises due to improper path validation, enabling attackers to bypass security controls. Applications are only vulnerable if they use `EndpointRequest.to()` on non-exposed actuator endpoints.
DailyCVE Form:
Platform: Spring Boot
Version: <=2.7.24.2, 3.1.0-3.1.15.2, 3.2.0-3.2.13.2, 3.3.0-3.3.10, 3.4.0-3.4.4
Vulnerability: Security Bypass
Severity: High
Date: Apr 28, 2025
What Undercode Say:
Exploit:
1. Identify vulnerable Spring Boot versions.
2. Craft requests to disabled actuator endpoints.
3. Bypass authentication via `null/` matcher.
Protection:
1. Upgrade to patched versions (3.3.11, 3.4.5).
2. Disable unused actuator endpoints explicitly.
3. Implement custom security filters.
Analytics:
- CVSS Score: 8.5 (High)
- Attack Vector: Network
- Complexity: Low
Commands:
Check Spring Boot version: ./mvnw dependency:list | grep 'spring-boot-starter' Patch via Maven: <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> <version>3.4.5</version> </dependency>
Code Snippet (Mitigation):
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(auth -> auth
.requestMatchers(EndpointRequest.toAnyEndpoint()).authenticated()
.anyRequest().permitAll()
);
return http.build();
}
Detection Script:
import requests
def check_vulnerability(url):
response = requests.get(f"{url}/actuator/nonexistent")
return response.status_code == 200
Log Monitoring:
grep 'Unauthorized actuator access' /var/log/spring-app.log
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
