Vulnerability Database

296,663

Total vulnerabilities in the database

CVE-2025-41243

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.

An application should be considered vulnerable when all the following are true:

The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
Spring Boot actuator is a dependency.
The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway.
The actuator endpoints are available to attackers.
The actuator endpoints are unsecured.

Published: Sep 16, 2025
Updated: Sep 17, 2025
CVE: CVE-2025-41243
GHSA: GHSA-q2cj-h8fw-q4cc
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
org.springframework.cloud / spring-cloud-gateway-server-webflux	3.1.0	3.1.10.x
org.springframework.cloud / spring-cloud-gateway-server-webflux	4.0.0	4.1.10.x
org.springframework.cloud / spring-cloud-gateway-server-webflux	4.2.0	4.2.5
org.springframework.cloud / spring-cloud-gateway-server-webflux	4.3.0	4.3.1

https://spring.io/security/cve-2025-41243

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime