Property Modification Vulnerability in Spring Cloud Gateway Server by Spring
CVE-2025-41243

10CRITICAL

Key Information:

Vendor: Spring
Status: Cloud Gateway
Vendor: CVE Published:; 16 September 2025

What is CVE-2025-41243?

The Spring Cloud Gateway Server Webflux configuration may be exploited to modify Spring Environment properties when certain conditions are met. This vulnerability occurs specifically when the application utilizes Spring Boot actuator as a dependency, and the actuator's web endpoint is both enabled and unsecured. Attackers may take advantage of this flaw if they gain access to actuator endpoints, thereby posing significant security risks to applications running on this framework.

Affected Version(s)

Cloud Gateway 4.3.x < 4.3.1

Cloud Gateway 4.2.x < 4.2.5

Cloud Gateway 4.1.x, 4.0.x < 4.1.11

References

https://spring.io/security/cve-2025-41243

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 16, 2025
Vulnerability Reserved
Apr 16, 2025