By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-41243

Incorrectly Configured Access Control
Affects
Spring Cloud Gateway
in
Spring
No items found.
Versions
>=3.1.0 <=3.1.9, >=4.0.0 <=4.0.9, >=4.1.0 <=4.1.9, >=4.2.0 <4.2.5, >=4.3.0 <4.3.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Cloud Gateway is a library that provides an API gateway solution for microservices architectures. It offers a simple yet flexible way to route requests to microservices while providing cross-cutting concerns like security, monitoring, and resiliency through customizable filters. Built on a reactive foundation using Spring WebFlux, it provides high performance and scalability for handling large volumes of requests, while offering features like rate limiting, circuit breakers, request/response transformation, and load balancing out of the box.

A possible environment modification vulnerability (CVE-2025-41243) has been identified in Spring Cloud Gateway.

An environment modification vulnerability occurs when an attacker is able to manipulate aspects of an application’s runtime environment while the application is running. The implications of an environment modification vulnerability are severe, as it can allow changes to environment variables, system properties, or configuration parameters that influence application behavior.This could lead to information disclosure or privilege escalation. 

This issue affects multiple versions of Spring Cloud Gateway's spring-cloud-gateway-server package.

Details

Module Info

Vulnerability Info

The security flaw applies to Spring Cloud Gateway applications when specific deployment and configuration conditions align. This vulnerability enables attackers to modify an application’s runtime environment using a Spring Boot actuators endpoint. 

The security flaw manifests if all the following conditions occur:

  • The Spring Cloud Gateway application has Spring Boot actuators on the classpath
  • The Spring Cloud Gateway Server actuator web endpoint is enabled and exposed
  • The actuator endpoints are available to attackers and unsecured

Mitigation

Only recent versions of Spring Cloud Gateway are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Cloud Gateway
  • Remove gateway from the management.endpoints.web.exposure.include property
  • Secure the application Spring Boot actuator endpoints

Leverage a commercial support partner like HeroDevs for post-EOL security support

Credit

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-41243
PROJECT Affected
Spring Cloud Gateway
Versions Affected
>=3.1.0 <=3.1.9, >=4.0.0 <=4.0.9, >=4.1.0 <=4.1.9, >=4.2.0 <4.2.5, >=4.3.0 <4.3.1
Published date
September 10, 2025
≈ Fix date
September 10, 2025
Fixed in
NES for Spring
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Critical
Category
Incorrectly Configured Access Control
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.