CVE-2025-22235 Affecting keycloak-config-cli-fips package, versions <6.5.0-r0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-MINIMOSLATEST-KEYCLOAKCONFIGCLIFIPS-14174192
- published4 Dec 2025
- disclosed28 Apr 2025
Introduced: 28 Apr 2025
CVE-2025-22235 (opens in a new tab)How to fix?
Upgrade Minimos:latest keycloak-config-cli-fips to version 6.5.0-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream keycloak-config-cli-fips package and not the keycloak-config-cli-fips package as distributed by Minimos.
See How to fix? for Minimos:latest relevant fixed versions and status.
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
- You use Spring Security
- EndpointRequest.to() has been used in a Spring Security chain configuration
- The endpoint which EndpointRequest references is disabled or not exposed via web
- Your application handles requests to /null and this path needs protection
You are not affected if any of the following is true:
- You don't use Spring Security
- You don't use EndpointRequest.to()
- The endpoint which EndpointRequest.to() refers to is enabled and is exposed
- Your application does not handle requests to /null or this path does not need protection