CVE-2026-47825

Vulnerability

Spring Cloud Gateway Server, in both WebMVC and WebFlux variants, forwards the X-Forwarded-For and Forwarded headers from untrusted proxies under certain configurations. This occurs when the gateway is configured to process these headers for IP forwarding or logging, but fails to validate the source of the headers. Affected versions include Spring Cloud Gateway 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x, as well as older unsupported versions. [1]

Exploitation

An attacker with network access to the gateway can send crafted HTTP requests containing arbitrary X-Forwarded-For or Forwarded headers. No authentication or user interaction is required (CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N). The gateway will forward these headers to downstream services, effectively allowing the attacker to spoof the client IP address. [1]

Impact

Successful exploitation enables the attacker to impersonate arbitrary IP addresses, potentially bypassing IP-based access controls, rate limiting, or audit logging in downstream applications. The integrity impact is high, and the scope is changed, meaning the attacker can affect resources beyond the gateway's own security boundaries. [1]

Mitigation

Users should upgrade to the fixed versions: 3.1.13, 4.1.13, 4.2.9, 4.3.5, or 5.0.2, depending on their branch. As part of the fix, the NettyServerCustomizer is disabled by default; if required, it can be re-enabled via the property spring.cloud.gateway.server.webflux.httpserver.customizer-enabled=true (for 5.0.x and 4.3.x with new properties namespace) or spring.cloud.gateway.httpserver.customizer-enabled=true (for 4.3.x without migration and for 4.2.x and 3.1.x). No other workarounds are documented. [1]