CVE-2025-41243
Published: 16 September 2025
Summary
CVE-2025-41243 is a critical-severity Code Injection (CWE-94) vulnerability in Spring Cloud Gateway (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on unsecured actuator endpoints, directly preventing unauthorized remote access for Spring Environment property modification.
Restricts system to least functionality by disabling unnecessary gateway actuator endpoints, eliminating the vulnerable configuration property exposure.
Monitors and controls network access to internal actuator endpoints, blocking availability to external attackers required for exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of an exposed public-facing Spring actuator endpoint enabling code injection and arbitrary code execution.
NVD Description
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC…
more
is not vulnerable). * Spring Boot actuator is a dependency. * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured.
Deeper analysisAI
CVE-2025-41243 is a critical vulnerability in Spring Cloud Gateway Server Webflux that allows Spring Environment property modification. Applications are vulnerable only if they meet all of the following conditions: they use Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not affected); Spring Boot actuator is included as a dependency; the gateway actuator web endpoint is explicitly enabled via the configuration property management.endpoints.web.exposure.include=gateway; the actuator endpoints are exposed and accessible to attackers; and the actuator endpoints lack security controls. The vulnerability is associated with CWE-94 (Improper Control of Generation of Code ('Code Injection')) and CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')), and it has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity with network accessibility, low attack complexity, no privileges or user interaction required, and high impact across confidentiality, integrity, and availability with changed scope.
Remote attackers can exploit this vulnerability by accessing the unsecured gateway actuator endpoint over the network. Exploitation enables modification of Spring Environment properties, potentially leading to arbitrary code execution, data exfiltration, system compromise, or denial of service, as reflected in the CVSS impact metrics.
The official Spring security advisory at https://spring.io/security/cve-2025-41243 provides further details on affected versions and recommended mitigations.
Details
- CWE(s)