CVE-2025-22232

CWE-287Improper Authentication4 documents4 sources
Severity
5.3MEDIUM
EPSS
0.2%
top 54.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Spring Spring Cloud Config
Timeline
PublishedApr 10

Description

Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. Your application may be affected by this if the following are true: * You have Spring Vault on the classpath of your Spring Cloud Config Server and * You are using the X-CONFIG-TOKEN header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and * You are using the default Spring Vault SessionManager impleme

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

CVEListV5spring/spring_cloud_config4.2.x4.2.2+5

🔴Vulnerability Details

2
CVEList
Spring Cloud Config Server May Not Use Vault Token Sent By Clients2025-04-10
GHSA
GHSA-qpfh-2wpm-c362: Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault2025-04-10

📋Vendor Advisories

1
Red Hat
spring-cloud-config-server: Spring Cloud Config Server May Not Use Vault Token Sent By Clients2025-04-10
CVE-2025-22232 (MEDIUM CVSS 5.3) | Spring Cloud Config Server may not | cvebase.io