CVE-2025-41243 (CVSS 10): Critical Spring Cloud Gateway Server WebFlux Flaw Exposes Property Modification Risk

Spring has disclosed a critical vulnerability in Spring Cloud Gateway Server WebFlux that allows attackers to modify Spring Environment properties under specific configurations. Tracked as CVE-2025-41243, the flaw has been assigned the maximum severity rating of CVSS 10.0.

According to the advisory, “Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux.” The vulnerability arises when actuator endpoints are exposed without proper security controls.

An application is considered vulnerable when all of the following conditions are met:

• It uses Spring Cloud Gateway Server WebFlux (the WebMVC variant is not affected).
• Spring Boot actuator is included as a dependency.
• The actuator web endpoint is explicitly enabled via: management.endpoints.web.exposure.include=gateway
• Actuator endpoints are both available and unsecured.

This chain of conditions allows an attacker to manipulate sensitive Spring Environment properties, leading to potential compromise of application behavior.

Spring Cloud Gateway is widely deployed in microservices architectures as a reactive API gateway, often at the edge of enterprise networks. With actuator endpoints commonly used for monitoring and operational insights, insecure exposure could provide attackers with direct manipulation access to application runtime properties.

The vulnerability impacts multiple supported and unsupported branches of Spring Cloud Gateway:

• 4.3.0 – 4.3.x
• 4.2.0 – 4.2.x
• 4.1.0 – 4.1.x
• 4.0.0 – 4.0.x
• 3.1.0 – 3.1.x
• Older, unsupported versions are also vulnerable.

Pivotal recommends that all affected users upgrade to patched versions immediately:

4.3.x → 4.3.1 OSS

4.2.x → 4.2.5 OSS

4.1.x → 4.1.11 Enterprise

3.1.x → 3.1.11 Enterprise

Versions in the 4.0.x branch are out of support and require migration to a supported release.

For those unable to upgrade, Spring suggests:

• Removing gateway from the management.endpoints.web.exposure.include property.
• Securing actuator endpoints with proper authentication and access controls.

Related Posts:

• Spring Boot Actuator Misconfigurations: The Hidden Security Risks in Cloud Environments
• CVE-2024-38821 (CVSS 9.1) Allows Authorization Bypass in Spring WebFlux Applications
• PoC Exploit Releases for Spring WebFlux Authorization Bypass – CVE-2024-38821
• New VMware Findings: Kernel Drivers’ Vulnerabilities Risk Total Device Takeover