A critical vulnerability (CVE-2025-41243) in Spring Cloud Gateway Server WebFlux enables attackers to execute arbitrary code on affected systems by manipulating Spring Environment properties through exposed actuator endpoints.
Security researcher Ezzer17 discovered the flaw affects multiple versions of the popular API gateway framework, including Spring Cloud Gateway versions 4.3.x, 4.2.x, 4.1.x, 4.0.x, and 3.1.x. The vulnerability exploits Spring Expression Language (SpEL) evaluation contexts to bypass security restrictions and modify system properties.
The vulnerability becomes exploitable when applications meet specific conditions: they must use Spring Cloud Gateway Server WebFlux (not WebMVC), have Spring Boot actuator as a dependency, and enable the gateway actuator endpoint via management.endpoints.web.exposure.include=gateway, and leave actuator endpoints unsecured and accessible to attackers.
Security researcher analysis reveals that attackers can manipulate the @systemProperties bean—a map containing all configuration parameters—to disable restrictive property access controls. "Even a restricted evaluation context still allows some things, including accessing beans and creating and modifying variables, maps, and arrays," the researcher noted in their technical breakdown.
The attack works by first adding a malicious route that is set spring.cloud.gateway.restrictive-property-accessor.enabled to false, then exploiting the weakened security context to access sensitive application data or execute arbitrary code.
Industry Impact and Response
This discovery highlights ongoing challenges in securing dynamic routing configurations in enterprise infrastructure. The vulnerability particularly threatens organizations using Spring Cloud Gateway for API management, as it can lead to complete system compromise when combined with application restart capabilities.
Spring has released patches across affected versions: 4.3.1, 4.2.5, 4.1.11, and 3.1.11 for enterprise users. Organizations unable to upgrade immediately should remove "gateway" from the management.endpoints.web.exposure.include property or secure their actuator endpoints.
The vulnerability underscores the critical importance of properly securing actuator endpoints in Spring applications, as these administrative interfaces continue to present attractive targets for attackers seeking system-level access.