Spring Cloud Gateway Server Webflux Vulnerability Exposes Sensitive Data
CVE-2025-41253

7.5HIGH

Key Information:

Vendor: Vmware
Status: Spring Cloud Gateway Server Webflux
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-41253?

The Spring Cloud Gateway Server Webflux could unintentionally expose environment variables and system properties if specific configurations are not secured. An attacker could leverage Spring Expression Language (SpEL) in routes to gain unauthorized access to sensitive data. This risk is present when the actuator endpoints are unsecured and publicly available, particularly if management endpoints are exposed without restrictions. It’s critical for users to ensure that these settings are properly configured to prevent potential exploitation.

Affected Version(s)

Spring Cloud Gateway Server Webflux 3.1.x

Spring Cloud Gateway Server Webflux 4.0.x

References

https://spring.io/security/cve/2025-41253

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vect...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

This issue was responsibly reported by psytester.

JSON

Vmware

What is CVE-2025-41253?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit