Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2025-22232: Spring Cloud Config Server May Not Use Vault Token Sent By Clients
Description
Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault.
Your application may be affected by this if the following are true:
- You have Spring Vault on the classpath of your Spring Cloud Config Server and
- You are using the
X-CONFIG-TOKENheader to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and - You are using the default Spring Vault
SessionManagerimplementationLifecycleAwareSessionManageror aSessionManagerimplementation that persists the Vault token such asSimpleSessionManager.
In this case the SessionManager persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN header with a different value.
Affected Spring Products and Versions
Spring Cloud Config:
- 2.2.1.RELEASE - 4.2.1
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 4.2.x | 4.2.2 | OSS |
| 4.1.x | 4.1.6 | OSS |
| 4.0.x | 4.0.10 | Commercial |
| 3.1.x | 3.1.10 | Commercial |
| 3.0.x | 4.1.6 | OSS |
| 2.2.x | 4.1.6 | OSS |
NOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version.
No other mitigation steps are necessary.
If you cannot upgrade, then you can either:
- Remove Spring Vault from the classpath if it is not needed or
- Implement your own
SessionManagerthat does not persist the Vault token and provide a bean using that implementation in a@Configurationclass. For example:
public class StatelessSessionManager implements SessionManager {
private final ClientAuthentication clientAuthentication;
private final ReentrantLock lock = new ReentrantLock();
public StatelessSessionManager(ClientAuthentication clientAuthentication) {
Assert.notNull(clientAuthentication, "ClientAuthentication must not be null");
this.clientAuthentication = clientAuthentication;
}
public VaultToken getSessionToken() {
this.lock.lock();
try {
return this.clientAuthentication.login();
}
finally {
this.lock.unlock();
}
}
}
@Configuration
public class MySessionManagerConfiguration extends SpringVaultClientConfiguration {
private final VaultEnvironmentProperties vaultProperties;
public MySessionManagerConfiguration(VaultEnvironmentProperties vaultProperties, ConfigTokenProvider configTokenProvider, List authProviders) {
super(vaultProperties, configTokenProvider, authProviders);
this.vaultProperties = vaultProperties;
}
@Bean
@Primary
public SessionManager sessionManager() {
if (vaultProperties.getAuthentication() == null && !StringUtils.hasText(vaultProperties.getToken())) {
return new StatelessSessionManager(clientAuthentication());
}
return super.sessionManager();
}
}
Credit
This vulnerability was discovered and responsibly reported by Max Brauer and Mohammad Shamsi.
References
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all