GHSA-Q2CJ-H8FW-Q4CC
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-09-16 20:20
VLAI?
Summary
Spring Expression language property modification using Spring Cloud Gateway Server WebFlux
Details
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.
An application should be considered vulnerable when all the following are true:
- The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
- Spring Boot actuator is a dependency.
- The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway.
- The actuator endpoints are available to attackers.
- The actuator endpoints are unsecured.
Severity ?
10.0 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-gateway-server-webflux"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"last_affected": "3.1.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-gateway-server-webflux"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"last_affected": "4.1.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-gateway-server-webflux"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.cloud:spring-cloud-gateway-server-webflux"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-41243"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-16T20:20:00Z",
"nvd_published_at": "2025-09-16T15:15:44Z",
"severity": "CRITICAL"
},
"details": "Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.\n\nAn application should be considered vulnerable when all the following are true:\n\n * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).\n * Spring Boot actuator is a dependency.\n * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway.\n * The actuator endpoints are available to attackers.\n * The actuator endpoints are unsecured.",
"id": "GHSA-q2cj-h8fw-q4cc",
"modified": "2025-09-16T20:20:00Z",
"published": "2025-09-16T15:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41243"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2025-41243"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Spring Expression language property modification using Spring Cloud Gateway Server WebFlux"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…