Spring Patches Two Flaws: SpEL Injection (CVE-2025-41253) Leaks Secrets, STOMP CSRF Bypasses WebSocket Security

VMware Tanzu’s Spring team has released fixes for two vulnerabilities impacting Spring Cloud Gateway and the Spring Framework, one of which could allow attackers to expose sensitive environment variables and system properties, while the other enables unauthorized WebSocket message injection.

The flaws are tracked as CVE-2025-41253 and CVE-2025-41254, respectively, and affect a wide range of Spring OSS and commercial versions.

The first issue, CVE-2025-41253, affects Spring Cloud Gateway Server Webflux (but not WebMVC) and arises from the misuse of Spring Expression Language (SpEL) within application routes.

According to the Spring team, an application is considered vulnerable if all the following conditions are met:

• It uses Spring Cloud Gateway Server Webflux.
• An admin or untrusted third party has the ability to define routes using SpEL expressions.
• The actuator endpoints (management.endpoints.web.exposure.include=gateway) are both enabled and unsecured.

This configuration could allow attackers to read environment variables, system properties, or other sensitive data, potentially leaking authentication tokens, API keys, or database credentials from the application’s runtime environment.

The vulnerability affects the following Spring Cloud Gateway versions:

• 4.3.0 – 4.3.x
• 4.2.0 – 4.2.x
• 4.1.0 – 4.1.x
• 4.0.0 – 4.0.x
• 3.1.0 – 3.1.x
• Older, unsupported versions are also impacted.

Spring has issued fixes in these releases:

• 4.3.2 (OSS)
• 4.2.6 (OSS)
• 4.1.12 (Commercial)
• 3.1.12 (Commercial)

Users unable to upgrade immediately can take interim steps:

“Remove ‘gateway’ from the management.endpoints.web.exposure.include property or secure the actuator endpoints,” Spring recommends.

This prevents attackers from reaching sensitive actuator endpoints that could be abused for remote SpEL execution.

The second issue, CVE-2025-41254, impacts Spring Framework’s STOMP over WebSocket feature and could allow attackers to send unauthorized messages by bypassing Cross-Site Request Forgery (CSRF) protections.

“STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages,” the advisory states.

This vulnerability poses a risk for real-time applications such as live chat systems, financial dashboards, or IoT control panels that rely on Spring’s WebSocket implementation for client-server communication.

The following versions of Spring Framework are affected:

• 6.2.0 – 6.2.11
• 6.1.0 – 6.1.23
• 6.0.x – 6.0.29
• 5.3.0 – 5.3.45

Patches are available in:

• 6.2.12 (OSS)
• 6.1.24 (Commercial)
• 5.3.46 (Commercial)

Older, unsupported releases remain vulnerable and require manual mitigation or an upgrade to supported versions.

Related Posts:

• LNK Stomping: Attackers Bypass Windows Security by Stripping the ‘Mark of the Web’
• PoC Released for CVE-2025-41243 – A Spring Cloud Gateway Flaw with CVSS 10.0
• Researcher Exposes WebSockets’ Role in Credit Card Skimming
• Beyond Windows: Pakistan’s APT36 Group Is Now Attacking Linux Systems with Stealthy Malware