CVE-2025-41253

Name of the Vulnerable Software and Affected Versions Spring Cloud Gateway Server Webflux (affected versions not specified)

Description Spring Cloud Gateway Server Webflux is susceptible to a SpEL (Spring Expression Language) injection issue. This flaw allows unauthenticated attackers to access environment variables and system properties through maliciously crafted routes. The issue arises when Spring Expression Language is used to access environment variables or system properties via routes, specifically when the Spring Cloud Gateway Server Webflux actuator web endpoint is enabled and unsecured. Successful exploitation can lead to the disclosure of sensitive information, including secrets, credentials, and configuration details. The vulnerability does not affect Spring Cloud Gateway Server WebMVC.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.