CVE-2025-22235

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Your application may be affected by this if all the following conditions are met:

•  You use Spring Security
•  EndpointRequest.to() has been used in a Spring Security chain configuration
•  The endpoint which EndpointRequest references is disabled or not exposed via web
•  Your application handles requests to /null and this path needs protection

​

You are not affected if any of the following is true:

•  You don't use Spring Security
•  You don't use EndpointRequest.to()
•  The endpoint which EndpointRequest.to() refers to is enabled and is exposed
•  Your application does not handle requests to /null or this path does not need protection