Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreSpring Cloud Gateway Server forwards the X-Forwarded-For
and Forwarded
headers from untrusted proxies.
Spring Cloud Gateway Server:
Spring Cloud Gateway Server MVC:
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s) | Fix version | Availability |
---|---|---|
4.3.0-{M1, M2, RC1} | 4.3.0 | OSS |
4.2.x | 4.2.3 | OSS |
4.1.x | 4.1.8 | OSS |
4.0.x | 4.0.12 | Commercial |
3.1.x | 3.1.10 | Commercial |
NOTE: Older unsupported versions are also impacted, and should upgrade to a supported version.
The X-Forwarded-*
and Forwarded
header functionality will be disabled by default with the fix versions. If you require X-Forwarded-*
or Forwarded
header functionality, after upgrading you will need to do the following:
spring.cloud.gateway.trusted-proxies
to a Java Regular Expression that specifies the proxies whose headers you trust. If you are using Spring Cloud Gateway Server MVC (only available from 4.1.x onward) set spring.cloud.gateway.mvc.trusted-proxies
. For example for Spring Cloud Gateway Server:spring.cloud.gateway.trusted-proxies=10\.0\.0\..*
For example for Spring Cloud Gateway Server MVC:
spring.cloud.gateway.mvc.trusted-proxies=10\.0\.0\..*
If you cannot upgrade, then you can:
spring.cloud.gateway.forwarded.enabled=false
and spring.cloud.gateway.x-forwarded.enabled=false
if you are using spring-cloud-starter-gateway
or if you are using spring-cloud-starter-gateway-mvc
(only available from 4.1.x onward) set spring.cloud.gateway.mvc.forwarded-request-headers-filter.enabled=false
and spring.cloud.gateway.mvc.x-forwarded-request-headers-filter.enabled=false
.This vulnerability was discovered and responsibly reported by Vilius Šumskas.
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy