CVE-2025-41243NVD

Vulnerability Summary

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.

An application should be considered vulnerable when all the following are true:

* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* Spring Boot actuator is a dependency.
* The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.

Severity Level

CRITICAL(10.0)

Published Date

Sep 16, 2025

Last Modified

Sep 17, 2025

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-94: Code Injection ↗

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended syntax or behavior.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://spring.io/security/cve-2025-41243

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2025-41243NVD

Vulnerability Summary

External References