Code Injection Vulnerability in Spring Cloud Gateway by Pivotal Software
CVE-2025-41235

8.6HIGH

Key Information:

Vendor: Vmware
Status: Spring Cloud Gateway; Spring Cloud Gateway Server Mvc
Vendor: CVE Published:; 30 May 2025

What is CVE-2025-41235?

The Spring Cloud Gateway Server is vulnerable to security risks due to improper handling of the X-Forwarded-For and Forwarded headers from untrusted proxies. This flaw can lead to potential code injection attacks, allowing malicious actors to exploit the server's ability to process these headers, posing a significant security risk to affected systems.

Affected Version(s)

Spring cloud Gateway Any 2.2.10.RELEASE - 4.2.2, 4.3.0-{M1, M2, RC1}

Spring Cloud Gateway Server MVC Any 4.1.7 - 4.2.2, 4.3.0-{M1, M2, RC1}

References

https://spring.io/security/cve-2025-41235

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 30, 2025
Vulnerability Reserved
Apr 16, 2025

Vmware

What is CVE-2025-41235?

Affected Version(s)

References

CVSS V3.1

Timeline