Critical severity10.0NVD Advisory· Published Sep 16, 2025· Updated Apr 15, 2026
CVE-2025-41243
CVE-2025-41243
Description
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.
An application should be considered vulnerable when all the following are true:
- The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
- Spring Boot actuator is a dependency.
- The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway.
- The actuator endpoints are available to attackers.
- The actuator endpoints are unsecured.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.cloud:spring-cloud-gateway-server-webfluxMaven | >= 3.1.0, <= 3.1.10 | — |
org.springframework.cloud:spring-cloud-gateway-server-webfluxMaven | >= 4.0.0, <= 4.1.10 | — |
org.springframework.cloud:spring-cloud-gateway-server-webfluxMaven | >= 4.2.0, < 4.2.5 | 4.2.5 |
org.springframework.cloud:spring-cloud-gateway-server-webfluxMaven | >= 4.3.0, < 4.3.1 | 4.3.1 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-q2cj-h8fw-q4ccghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-41243ghsaADVISORY
- spring.io/security/cve-2025-41243nvdWEB
News mentions
0No linked articles in our index yet.