Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2025-41243: Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux
Description
The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.
An application should be considered vulnerable when all the following are true:
- The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
- Spring Boot actuator is a dependency.
- The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via
management.endpoints.web.exposure.include=gateway. - The actuator endpoints are available to attackers.
- The actuator endpoints are unsecured.
Affected Spring Products and Versions
Spring Cloud Gateway:
- 4.3.0 - 4.3.x
- 4.2.0 - 4.2.x
- 4.1.0 - 4.1.x
- 4.0.0 - 4.0.x
- 3.1.0 - 3.1.x
- Older, unsupported versions are also affected.
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 4.3.x | 4.3.1 | OSS |
| 4.2.x | 4.2.5 | OSS |
| 4.1.x | 4.1.11 | Enterprise |
| 4.0.x | 4.1.11 | Out of support |
| 3.1.x | 3.1.11 | Enterprise |
No further mitigation steps are necessary.
If you cannot upgrade, then you can:
- Remove
gatewayfrom themanagement.endpoints.web.exposure.includeproperty or secure the actuator endpoints.
Credit
This issue was responsibly reported by Ezzer17.
References
History
- 2025-09-08: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all