Platform
java
Component
spring-cloud/spring-cloud-gateway
Fixed in
4.3.1
4.2.5
4.1.11
3.1.11
4.1.11
CVE-2025-41243 describes a remote code execution (RCE) vulnerability affecting Spring Cloud Gateway Server Webflux versions 3.1.0 through 4.3.1. This vulnerability arises from the ability to modify Spring Environment properties through unsecured Spring Boot actuator endpoints. Exploitation requires the actuator web endpoint to be enabled and accessible, potentially allowing attackers to execute arbitrary code on the server. A fix is available in version 4.3.1.
The impact of CVE-2025-41243 is severe. Successful exploitation allows an attacker to execute arbitrary code within the context of the Spring Cloud Gateway application. This could lead to complete system compromise, including data exfiltration, denial of service, and further lateral movement within the network. The vulnerability's reliance on exposed actuator endpoints means that applications with misconfigured security settings are particularly vulnerable. The ability to modify environment properties provides a flexible attack surface, potentially bypassing traditional security controls. This vulnerability shares similarities with other Spring framework vulnerabilities where improper configuration of actuator endpoints has led to exploitation.
CVE-2025-41243 was publicly disclosed on September 16, 2025. The CVSS score is 10.0 (CRITICAL). Public proof-of-concept exploits are likely to emerge given the vulnerability's severity and the ease of exploitation with proper endpoint exposure. The vulnerability's impact is amplified by the widespread use of Spring Cloud Gateway in enterprise applications. It is not currently listed on CISA KEV, but its criticality warrants close monitoring.
Exploit Status
EPSS
2.78% (86% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-41243 is to upgrade to Spring Cloud Gateway version 4.3.1 or later. If upgrading is not immediately feasible, consider disabling the actuator endpoints by setting management.endpoints.web.exposure.include=none in your application configuration. Alternatively, restrict access to the actuator endpoints using authentication and authorization mechanisms, such as Spring Security. Implement a Web Application Firewall (WAF) with rules to block requests targeting the actuator endpoints. Monitor application logs for suspicious activity related to actuator endpoint access and environment property modifications. After upgrading, confirm the fix by attempting to access the actuator endpoint with unauthorized credentials and verifying that access is denied.
Actualice Spring Cloud Gateway a la versión 4.3.1, 4.2.5, 4.1.11 o 3.1.11, o superior, según corresponda a su rama de versión. Asegúrese de que los endpoints del actuator estén adecuadamente protegidos y no sean accesibles para atacantes no autenticados. Considere deshabilitar el endpoint 'gateway' si no es necesario.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-41243 is a critical remote code execution vulnerability in Spring Cloud Gateway versions 3.1.0–4.3.1, allowing attackers to modify environment properties and potentially execute arbitrary code.
You are affected if you are using Spring Cloud Gateway versions 3.1.0 through 4.3.1 and have exposed, unsecured Spring Boot actuator endpoints.
Upgrade to Spring Cloud Gateway version 4.3.1 or later. Alternatively, disable actuator endpoints or restrict access using authentication and authorization.
While no active exploitation has been confirmed, the vulnerability's criticality and ease of exploitation suggest it is likely to be targeted.
Refer to the Spring Security website and Spring Blog for official advisories and updates related to CVE-2025-41243.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.