By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2025-41235

HTTP Request Smuggling

Affects

Spring Cloud Gateway

Spring

Versions

<=3.1.10, >= 4.0.0 <= 4.0.10, >=4.1.0 <4.1.8, >=4.2.0 <4.2.3, >4.3.0-{M1, M2, RC1} < 4.3.0

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring Cloud Gateway is an API gateway for reactive APIs and microservices. It offers routing, request transformation, and load balancing and is widely used in cloud-native applications.

‍

An Information Exposure vulnerability (CVE-2025-41235) has been identified in Spring Cloud Gateway. The issue stems from improper validation of headers forwarded from untrusted proxies. This weakness allows attackers to manipulate headers or spoof requests.

‍

This issue affects multiple versions of Spring Cloud Gateway’s spring-cloud-gateway-server package.

‍

Details

Module Info

Product: Spring Cloud Gateway
Affected packages: spring-cloud-gateway-server
Affected versions: <=3.1.10, >= 4.0.0 <= 4.0.10, >=4.1.0 <4.1.8, >=4.2.0 <4.2.3, >4.3.0-{M1, M2, RC1} < 4.3.0
GitHub repository: https://github.com/spring-cloud/spring-cloud-gateway
Published packages: https://central.sonatype.com/artifact/org.springframework.cloud/spring-cloud-gateway-server
Package manager: Maven
Fixed In: NES for Spring Cloud Gateway v3.1.12

‍

Vulnerability Info

The issue stems from improper validation of headers Forwarded and X-Forwarded-* headers (e.g. X-Forwarded-For, X-Forwarded-Host, etc.) forwarded from untrusted proxies. This vulnerability is a result of flawed logic, and may allow attackers to manipulate headers or spoof requests.

Mitigation

Only recent versions of Spring Cloud Gateway are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations:

Upgrade affected applications to supported versions of Spring Cloud Gateway
If you cannot upgrade to a fixed version, you can disable the functionality entirely to mitigate the vulnerability:
- For spring-cloud-starter-gateway, set the following properties
  - spring.cloud.gateway.forwarded.enabled=false
  - spring.cloud.gateway.x-forwarded.enabled=false
- For spring-cloud-starter-gateway-mvc (version 4.1.+), set the following properties
  - spring.cloud.gateway.mvc.forwarded-request-headers-filter.enabled=false
  - spring.cloud.gateway.mvc.x-forwarded-request-headers-filter.enabled=false
With the fixed versions starting at 4.1.x, the functionality for processing X-Forwarded-* and Forwarded headers is disabled by default. If your application relies on these headers, you must configure trusted proxies after upgrading. Use the following settings to specify the proxies whose headers you trust using the following configuration:
- For Spring Cloud Gateway Server: spring.cloud.gateway.trusted-proxies=10\.0\.0\..*
- For Spring Cloud Gateway Server MVC: spring.cloud.gateway.mvc.trusted-proxies=10\.0\.0\..*