Spring Cloud Gateway Server Webflux
Easy fix6 remedies
cpe:2.3:a:vmware:spring_cloud_gateway:*:*:*:*:*:*:*
Easy fix6 remedies
- >= 4.3.0, < 4.4.0
- >= 4.2.0, < 4.3.0
- >= 4.1.0, < 4.2.0
- >= 4.0.0, < 4.1.0
- >= 3.1.0, < 3.2.0
Spring Cloud Gateway Server WebFlux Property Modification Vulnerability
Vulnerability
Patched
A vulnerability allowing unauthorized modification of Spring Environment properties may exist in certain versions of Spring Cloud Gateway Server WebFlux. This issue arises when the application includes the Spring Boot actuator, with the Spring Cloud Gateway Server WebFlux actuator web endpoint enabled and exposed to attackers without security. Affected versions include Spring Cloud Gateway 4.3.0 through 4.3.x, 4.2.0 through 4.2.x, 4.1.0 through 4.1.x, 4.0.0 through 4.0.x, 3.1.0 through 3.1.x, and older unsupported versions.
Impact
Exploitation of this vulnerability could lead to unauthorized modification of application properties, potentially allowing attackers to alter application behavior or configuration.
Remediation
Users should upgrade to Spring Cloud Gateway versions 4.3.1, 4.2.5, 4.1.11, or 3.1.11, depending on their current version. If an upgrade is not possible, remove 'gateway' from the 'management.endpoints.web.exposure.include' property or secure the actuator endpoints.
Added: Sep 16, 2025, 3:42 PM
Updated: Sep 16, 2025, 3:42 PM
Vulnerability Rating
Custom Algorithm
spread
2.6impact
0.6exploitability
7.0remediation
8.3relevance
0.5threat
0.1urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.