AIKIDO-2025-10226

spring-cloud-config-server is vulnerable to Authentication bypass

Authentication bypassCVE-2025-22232

Medium Risk

This Affects:

spring-cloud-config-server

2.0.0 - 3.1.9

Fixed in 3.1.10

4.0.0 - 4.0.9

Fixed in 4.0.10

4.1.0 - 4.1.5

Fixed in 4.1.6

4.2.0 - 4.2.0

Fixed in 4.2.1

TL;DR

Affected versions of Spring Cloud Config Server may fail to use the Vault token provided by clients via the X-CONFIG-TOKEN header when interacting with Vault. This occurs if Spring Vault is on the classpath and the application uses a SessionManager implementation like LifecycleAwareSessionManager or SimpleSessionManager, which persist the first retrieved token. As a result, even when clients supply a different token in subsequent requests, the server continues to use the initially cached token, potentially leading to authorization issues or unintended access.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

spring-cloud-config-server is vulnerable to Authentication bypass in versions 4.2.0 - 4.2.0, 4.1.0 - 4.1.5, 4.0.0 - 4.0.9 and 2.0.0 - 3.1.9.

How to fix this

Upgrade the org.springframework.cloud:spring-cloud-config-server library to a patch version. If you cannot upgrade, either remove Spring Vault from the classpath if unused, or implement a custom SessionManager that does not persist the Vault token and register it as a bean in a @Configuration class. Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version. The lowest patched open source supported version is version 4.1.6.