Vmware Spring Cloud Gateway vulnerabilities

5 known vulnerabilities affecting vmware/spring_cloud_gateway.

Total CVEs

5

CISA KEV

1

actively exploited

Public exploits

1

Exploited in wild

1

Severity breakdown

CRITICAL1HIGH2MEDIUM2

Vulnerabilities

Page 1 of 1

CVE-2026-22750HIGHCVSS 7.5≥ 4.2.0, < 4.2.12026-04-10

CVE-2026-22750 [HIGH] CWE-15 CVE-2026-22750: When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl. When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgr

CVE-2025-41235HIGHCVSS 8.6≥ 2.2.10.RELEASE - 4.2.2, 4.3.0-{M1, M2, RC1}, < 4.3.0, 4.2.3, 4.1.8, 4.0.12, 3.1.102025-05-30

CVE-2025-41235 [HIGH] CWE-444 CVE-2025-41235: Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxie Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies.

CVE-2022-22946MEDIUMCVSS 5.5v3.1.02022-03-04

CVE-2022-22946 [MEDIUM] CWE-295 CVE-2022-22946: In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates.

CVE-2022-22947CRITICALCVSS 10.0KEVPoCfixed in 3.0.7v3.1.02022-03-03

CVE-2022-22947 [CRITICAL] CWE-94 CVE-2022-22947: In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

CVE-2021-22051MEDIUMCVSS 6.5fixed in 2.2.10≥ 3.0.0, < 3.0.52021-11-08

CVE-2021-22051 [MEDIUM] CWE-863 CVE-2021-22051: Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could m Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or newer.