CVE-2025-41243
published 2025-09-16CVE-2025-41243: Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the…
PriorityP275critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
3.31%
87.0th percentile
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * Spring Boot actuator is a dependency. * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| spring | cloud_gateway | >= 3.1.x < 3.1.11 | 3.1.11 |
| spring | cloud_gateway | >= 4.1.x, 4.0.x < 4.1.11 | 4.1.11 |
| spring | cloud_gateway | >= 4.2.x < 4.2.5 | 4.2.5 |
| spring | cloud_gateway | >= 4.3.x < 4.3.1 | 4.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
command#{ @systemProperties['spring. cloud.gateway.restrictive-property-accessor.enabled'] = false}
command#{ @environment.getPropertySources.?[#this.name matches '.*optional:classpath:.*' ][0].source.![{#this.getKey+'='+#this.getValue.toString}] }
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Spring Cloud Gateway Dynamic Server-Side Request Forgery via Configuration (CVE-2025-41243)"; flow:established,to_server; http.uri; content:"/actuator/gateway/routes/"; fast_pattern; http.request_body; content:"|22|predicates|22 3a|"; content:"|22|pattern|22 3a|"; content:"|22|filters|22 3a|"; http.method; content:"POST"; reference:url,psytester.github.io/noCVE-SpringGateway_SSRF_as_Service/; reference:cve,2025-41243; classtype:web-application-attack; sid:2065810; rev:1; metadata:affected_product Spring_Framework, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_18, cve CVE_2025_41243, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect POST requests to /actuator/gateway/routes/ followed by POST to /actuator/gateway/refresh — the two-step exploitation pattern for CVE-2025-41243. ↗
- →Alert on HTTP POST bodies containing both 'filters' and 'predicates'/'pattern' keys targeting /actuator/gateway/routes/ — as captured by the ET Snort rule (sid:2065810).
- →Flag responses to GET /actuator/gateway/routes/{id} that contain both 'spring.cloud.gateway' and 'RouteDefinitionRouteLocator' — confirming successful SpEL property injection.
- →Use FOFA/Shodan fingerprinting to identify exposed Spring Boot/Spring Cloud Gateway instances as potential targets.
- →Inspect POST request bodies to /actuator/gateway/routes/ for SpEL expressions (patterns like #{...}) in filter argument values, which indicate exploitation attempts.
- →Monitor for the AddResponseHeader filter name being used with SpEL payloads in route definitions — a key indicator of the exploitation technique.
- ·Vulnerability only applies to Spring Cloud Gateway Server Webflux; the WebMVC variant is NOT affected. ↗
- ·The Snort rule (sid:2065810) requires TLS decryption to be effective against HTTPS-protected deployments, as indicated by the TLSDecrypt deployment metadata.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Spring Expression language property modification using Spring Cloud Gateway Server WebFlux
osv·2025-09-16
CVE-2025-41243 [CRITICAL] Spring Expression language property modification using Spring Cloud Gateway Server WebFlux
Spring Expression language property modification using Spring Cloud Gateway Server WebFlux
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.
An application should be considered vulnerable when all the following are true:
* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* Spring Boot actuator is a dependency.
* The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.
GHSA
Spring Expression language property modification using Spring Cloud Gateway Server WebFlux
ghsa·2025-09-16
CVE-2025-41243 [CRITICAL] CWE-94 Spring Expression language property modification using Spring Cloud Gateway Server WebFlux
Spring Expression language property modification using Spring Cloud Gateway Server WebFlux
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.
An application should be considered vulnerable when all the following are true:
* The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
* Spring Boot actuator is a dependency.
* The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway.
* The actuator endpoints are available to attackers.
* The actuator endpoints are unsecured.
Suricata
ET WEB_SPECIFIC_APPS Spring Cloud Gateway Dynamic Server-Side Request Forgery via Configuration (CVE-2025-41243)
suricata·2025-11-18·CVSS 10.0
CVE-2025-41243 [CRITICAL] ET WEB_SPECIFIC_APPS Spring Cloud Gateway Dynamic Server-Side Request Forgery via Configuration (CVE-2025-41243)
ET WEB_SPECIFIC_APPS Spring Cloud Gateway Dynamic Server-Side Request Forgery via Configuration (CVE-2025-41243)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Spring Cloud Gateway Dynamic Server-Side Request Forgery via Configuration (CVE-2025-41243)"; flow:established,to_server; http.uri; content:"/actuator/gateway/routes/"; fast_pattern; http.request_body; content:"|22|predicates|22 3a|"; content:"|22|pattern|22 3a|"; content:"|22|filters|22 3a|"; http.method; content:"POST"; reference:url,psytester.github.io/noCVE-SpringGateway_SSRF_as_Service/; reference:cve,2025-41243; classtype:web-application-attack; sid:2065810; rev:1; metadata:affected_product Spring_Framework, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_18, cve CVE_2025_41243, deployment
Nuclei
Spring Cloud Gateway Server Webflux - Broken Access Control
nuclei·CVSS 10.0
CVE-2025-41243 [CRITICAL] Spring Cloud Gateway Server Webflux - Broken Access Control
Spring Cloud Gateway Server Webflux - Broken Access Control
Spring Cloud Gateway Server Webflux contains a vulnerability caused by unsecured and exposed actuator endpoints allowing modification of Spring Environment properties, letting attackers modify configuration, exploit requires unsecured actuator endpoints exposure.
Template:
id: CVE-2025-41243
info:
name: Spring Cloud Gateway Server Webflux - Broken Access Control
author: Redmomn
severity: critical
description: |
Spring Cloud Gateway Server Webflux contains a vulnerability caused by unsecured and exposed actuator endpoints allowing modification of Spring Environment properties, letting attackers modify configuration, exploit requires unsecured actuator endpoints exposure.
impact: |
Attackers can modify Spring Environment propert
No writeups or analysis indexed.
2025-09-16
Published