Vulnerability in Spring Cloud Config Server Affects Token Management
CVE-2025-22232

5.3MEDIUM

Key Information:

Vendor

Spring

Status
Spring Cloud Config
Vendor
CVE Published:
10 April 2025

What is CVE-2025-22232?

The Spring Cloud Config Server contains a vulnerability that may prevent it from correctly utilizing a Vault token sent by clients using an X-CONFIG-TOKEN header. This issue arises when the Spring Vault is included in the classpath of the Config Server and the default SessionManager implementation is utilized. Affected configurations may inadvertently continue to use the first persistent Vault token retrieved, which poses a risk if clients attempt to authenticate with differing tokens. It is critical for users employing these affected versions to upgrade to a fixed version to ensure the integrity of security measures in place.

Affected Version(s)

Spring Cloud Config 4.2.x < 4.2.2

Spring Cloud Config 4.1.x < 4.1.6

Spring Cloud Config 4.0.x < 4.0.10

References

https://spring.io/security/cve-2025-22232

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-22232 : Vulnerability in Spring Cloud Config Server Affects Token Management