Spring Expression Language property modification using Spring Cloud Gateway Server...

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* Spring Boot actuator is a dependency.
* The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

Basic Information

ID CVE-2025-41243

Source vmware

Published Sep 16, 2025 at 14:54

Modified Sep 16, 2025 at 16:13

Affected Product

Vendor Spring

Product Cloud Gateway

Version 4.3.x

Affected Versions Spring Cloud Gateway 4.3.x
Spring Cloud Gateway 4.2.x
Spring Cloud Gateway 4.1.x, 4.0.x
Spring Cloud Gateway 3.1.x

CWE Classification

CWE-917 CWE-94

References

spring.io /security/cve-2025-41243

{
    "lastseen": "",
    "description": "Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.\n\nAn application should be considered vulnerable when all the following are true:\n\n  *  The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).\n  *  Spring Boot actuator is a dependency.\n  *  The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway.\n  *  The actuator endpoints are available to attackers.\n  *  The actuator endpoints are unsecured.",
    "published": "2025-09-16T14:54:57.396Z",
    "modified": "2025-09-16T16:13:43.727Z",
    "type": "cve",
    "title": "Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2025-41243",
    "id": "CVE-2025-41243",
    "bulletinFamily": "",
    "cwe": [
        "CWE-917",
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "Spring Cloud Gateway 4.3.x\nSpring Cloud Gateway 4.2.x\nSpring Cloud Gateway 4.1.x, 4.0.x\nSpring Cloud Gateway 3.1.x",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Cloud Gateway",
    "version": "4.3.x",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux_CVE-2025-41243