Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.springframework.cloud/spring-cloud-gateway-server-webflux@3.1.0
Typemaven
Namespaceorg.springframework.cloud
Namespring-cloud-gateway-server-webflux
Version3.1.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.2.5
Latest_non_vulnerable_version4.3.1
Affected_by_vulnerabilities
0
url VCID-1bzt-rfvg-cuan
vulnerability_id VCID-1bzt-rfvg-cuan
summary 
Spring Expression language property modification using Spring Cloud Gateway Server WebFlux
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.

An application should be considered vulnerable when all the following are true:

*  The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
*  Spring Boot actuator is a dependency.
*  The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway.
*  The actuator endpoints are available to attackers.
*  The actuator endpoints are unsecured.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-41243
reference_id
reference_type
scores
0
value 0.06417
scoring_system epss
scoring_elements 0.91189
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-41243
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-41243
reference_id CVE-2025-41243
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-41243
2
reference_url https://spring.io/security/cve-2025-41243
reference_id CVE-2025-41243
reference_type
scores
url https://spring.io/security/cve-2025-41243
3
reference_url https://github.com/advisories/GHSA-q2cj-h8fw-q4cc
reference_id GHSA-q2cj-h8fw-q4cc
reference_type
scores
url https://github.com/advisories/GHSA-q2cj-h8fw-q4cc
fixed_packages
0
url pkg:maven/org.springframework.cloud/spring-cloud-gateway-server-webflux@4.2.5
purl pkg:maven/org.springframework.cloud/spring-cloud-gateway-server-webflux@4.2.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-gateway-server-webflux@4.2.5
1
url pkg:maven/org.springframework.cloud/spring-cloud-gateway-server-webflux@4.3.1
purl pkg:maven/org.springframework.cloud/spring-cloud-gateway-server-webflux@4.3.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-gateway-server-webflux@4.3.1
aliases CVE-2025-41243, GHSA-q2cj-h8fw-q4cc
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1bzt-rfvg-cuan
1
url VCID-q91x-cu9t-2uch
vulnerability_id VCID-q91x-cu9t-2uch
summary 
Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection
The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.

An application should be considered vulnerable when all the following are true:

*  The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).
*  An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.
*  An untrusted third party could create a route that uses SpEL to access environment variables or system properties if:  *  The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.
*  The actuator endpoints are available to attackers.
*  The actuator endpoints are unsecured.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-41253
reference_id
reference_type
scores
0
value 0.00049
scoring_system epss
scoring_elements 0.15565
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-41253
1
reference_url https://github.com/spring-cloud/spring-cloud-gateway
reference_id
reference_type
scores
url https://github.com/spring-cloud/spring-cloud-gateway
2
reference_url https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1
reference_id
reference_type
scores
url https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1
3
reference_url https://spring.io/security/cve/2025-41253
reference_id
reference_type
scores
url https://spring.io/security/cve/2025-41253
4
reference_url https://www.cve.org/CVERecord?id=CVE-2025-41253
reference_id
reference_type
scores
url https://www.cve.org/CVERecord?id=CVE-2025-41253
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-41253
reference_id CVE-2025-41253
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-41253
6
reference_url https://github.com/advisories/GHSA-fwxx-wv44-7qfg
reference_id GHSA-fwxx-wv44-7qfg
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fwxx-wv44-7qfg
fixed_packages
aliases CVE-2025-41253, GHSA-fwxx-wv44-7qfg
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q91x-cu9t-2uch
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.cloud/spring-cloud-gateway-server-webflux@3.1.0