CVE-2025-41243

Published Sep 16, 2025

Last updated 6 months ago

CVSS critical 10.0

Overview

Description
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * Spring Boot actuator is a dependency. * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured.
Source
security@vmware.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@vmware.com
CWE-94

Social media

Hype score
Not currently trending

  1. CVE-2025-41243 - Spring Cloud Gateway WebFlux vulnerability https://t.co/m4aESbgXUE https://t.co/xyNlDAjxPs

    @ErcanSah1n

    30 Dec 2025

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-41243 - Spring Cloud Gateway WebFlux vulnerability https://t.co/ArnCwhC05j https://t.co/XKG9zLQIQc

    @kevinpollock

    28 Oct 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 CVE-2025-41243 - critical 🚨 Spring Cloud Gateway Server Webflux - Broken Access Control > Spring Cloud Gateway Server Webflux contains a vulnerability caused by unsecured and ... 👾 https://t.co/r6wHcmtBkl @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    28 Oct 2025

    146 Impressions

    1 Retweet

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. CVE-2025-41243 - Spring Cloud Gateway WebFlux vulnerability https://t.co/And3gOvlvV https://t.co/CYO8m8EZAh

    @scandaletti

    25 Oct 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-41243 - Spring Cloud Gateway WebFlux vulnerability https://t.co/QH8l8S2J5D https://t.co/5ErkFPFG6x

    @CloudVirtues

    25 Oct 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 📚 Spring Cloud Gateway SpEL Vulnerability (CVE-2025-41243) Exploring complicating evaluation context in Spring Cloud Gateway. Read: https://t.co/RihjBJ7MLm https://t.co/qnVQr5Uzrc

    @IntCyberDigest

    12 Oct 2025

    2816 Impressions

    5 Retweets

    15 Likes

    9 Bookmarks

    0 Replies

    0 Quotes

  7. [CVE-2025-41243] Spring Cloud Gateway: complicating evaluation context https://t.co/YxeKeMajO2

    @Dinosn

    12 Oct 2025

    420 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. [CVE-2025-41243] Spring Cloud Gateway: complicating evaluation context | https://t.co/MwPwD8kvOr https://t.co/YNSJu5MGQD

    @warthogtk

    10 Oct 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-41243 漏洞分析 Spring Cloud Gateway SpEL 从任意属性访问到任意文件下载 最近,spring cloud getway 又出了一个10分的 SpEL漏洞 这个漏洞过去了几周都没有几个好的分析文章 就连漏洞作者也只给出了DoS和配置读取的

    @burp_heart

    29 Sept 2025

    1728 Impressions

    1 Retweet

    23 Likes

    14 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-41243 PoC for SpEL property modification using Spring Cloud Gateway Server https://t.co/PZFJEDaoul

    @Dinosn

    26 Sept 2025

    438 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  11. My PoC is out there, or what it is supposed to represent if CVSS scrore 10.0 on CVE-2025-41243: Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux At least property modification within its route context is possible https://t.co/WmelNOH9N0

    @psytester1

    24 Sept 2025

    3595 Impressions

    13 Retweets

    35 Likes

    14 Bookmarks

    2 Replies

    0 Quotes

  12. 🗣️ PoC Released for CVE-2025-41243 – A Spring Cloud Gateway Flaw with CVSS 10.0 https://t.co/6Vmk7EMQV0

    @fridaysecurity

    22 Sept 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. A critical flaw (CVE-2025-41243) in Spring Cloud Gateway with a CVSS 10.0 score allows unauthenticated RCE via SpEL injection. A PoC has been released. #SpringCloud #Vulnerability #Cybersecurity #SpEL #RCE https://t.co/RSI8J65ADa

    @the_yellow_fall

    22 Sept 2025

    219 Impressions

    2 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. CVE-2025-41243 Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the follow… https://t.co/7KxOMowaqj

    @CVEnew

    19 Sept 2025

    274 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. [CVE-2025-41243: CRITICAL] Beware of cyber threats targeting Spring Cloud Gateway Server Webflux. Vulnerabilities arise from Spring Environment property modification and open actuator endpoints to attackers.#cve,CVE-2025-41243,#cybersecurity https://t.co/Z1rxfE5T0E https://t.co/h

    @CveFindCom

    16 Sept 2025

    101 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. CVE-2025-41243 – Spring Cloud Gateway WebFlux Actuator Property Modification Vulnerability Analysis Report — By CyberDudeBivash View the full report on ............ https://t.co/NaTbJ35iuO https://t.co/Fbl8acNjbI

    @cyberbivash

    9 Sept 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.