Spring Cloud Gateway Server
Easy fix7 remedies
cpe:2.3:a:vmware:spring_cloud_gateway:*:*:*:*:*:*:*
Easy fix7 remedies
- >= 2.2.10.RELEASE, <= 4.2.2
- >= 4.3.0-M1, <= 4.3.0-M2
- >= 4.3.0-RC1
Spring Cloud Gateway Header Forwarding Vulnerability from Untrusted Proxies
Vulnerability
Patched
A vulnerability exists in Spring Cloud Gateway Server and Spring Cloud Gateway Server MVC, where the 'X-Forwarded-For' and 'Forwarded' headers are forwarded from untrusted proxies. This behavior could potentially allow for the manipulation of request headers, leading to security issues.
Impact
Exploitation of this vulnerability could result in the improper handling of forwarded headers, allowing untrusted proxies to influence the application's request processing.
Remediation
Users should upgrade to Spring Cloud Gateway Server versions 4.3.0, 4.2.3, or 4.1.8, or to Spring Cloud Gateway Server MVC versions 4.2.3 or 4.1.8. After upgrading, 'X-Forwarded-*' and 'Forwarded' header functionality will be disabled by default. If this functionality is needed, 'spring.cloud.gateway.trusted-proxies' or 'spring.cloud.gateway.mvc.trusted-proxies' can be set to specify trusted proxies. If upgrading is not possible, 'X-Forwarded' and 'Forwarded' header functionality can be disabled.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
2.6impact
0.6exploitability
7.0remediation
8.3relevance
0.1threat
0.0urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.