CVE-2025-22232

Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault.<br /> Your application may be affected by this if the following are true:<br /> * You have Spring Vault on the classpath of your Spring Cloud Config Server and<br /> * You are using the X-CONFIG-TOKEN header to send a Vault token to the Spring Cloud Config Server for the Config Server to use when making requests to Vault and<br /> * You are using the default Spring Vault SessionManager implementation LifecycleAwareSessionManager or a SessionManager implementation that persists the Vault token such as SimpleSessionManager.<br /> <br /> In this case the SessionManager persists the first token it retrieves and will continue to use that token even if client requests to the Spring Cloud Config Server include a X-CONFIG-TOKEN header with a different value.<br /> Affected Spring Products and Versions<br /> Spring Cloud Config:<br /> * 2.2.1.RELEASE - 4.2.1<br /> <br /> <br /> Mitigation<br /> Users of affected versions should upgrade to the corresponding fixed version.<br /> <br /> Affected version(s)Fix versionAvailability4.2.x4.2.2OSS4.1.x4.1.6OSS4.0.x4.0.10Commercial3.1.x3.1.10Commercial3.0.x4.1.6OSS2.2.x4.1.6OSS<br /> NOTE: Spring Cloud Config 3.0.x and 2.2.x are no longer under open source or commercial support. Users of these versions are encouraged to upgrade to a supported version.<br /> <br /> No other mitigation steps are necessary.