Spring Cloud Gateway
by Spring Cloud
Source repositories
CVEs (4)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-41235 | Hig | 0.56 | 8.6 | 0.00 | May 30, 2025 | Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies. | ||
| CVE-2025-41253 | Hig | 0.49 | 7.5 | 0.00 | Oct 16, 2025 | The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: * The application is using… | ||
| CVE-2022-22947 | 0.23 | — | 0.98 | KEV | Mar 3, 2022 | In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote… | ||
| CVE-2022-22946 | 0.00 | — | 0.05 | Mar 4, 2022 | In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or… |
- risk 0.56cvss 8.6epss 0.00
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies.
- risk 0.49cvss 7.5epss 0.00
The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: * The application is using…
- risk 0.23cvss —epss 0.98
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote…
- CVE-2022-22946Mar 4, 2022risk 0.00cvss —epss 0.05
In spring cloud gateway versions prior to 3.1.1+ , applications that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or…