CVE-2025-41243

Name of the Vulnerable Software and Affected Versions Spring Cloud Gateway Server Webflux (affected versions not specified)

Description Spring Cloud Gateway Server Webflux may allow an attacker to modify Spring Environment properties. This is possible when the Spring Boot actuator is a dependency, the Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway, the actuator endpoints are accessible to attackers, and the actuator endpoints are not secured. Successful exploitation can lead to property modification within the route context, potentially enabling Server-Side Request Forgery (SSRF) and Remote File Inclusion (RFI) attacks, allowing access to sensitive information and file system access. The issue stems from Spring Expression Language (SpEL) evaluation context complications.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.