VulnerableCode Package Details - pkg:maven/org.springframework.cloud/spring-cloud-gateway-server-webflux@4.3.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-5fa6-tx2k-eyad Aliases: CVE-2025-41243 GHSA-q2cj-h8fw-q4cc	Spring Expression language property modification using Spring Cloud Gateway Server WebFlux Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * Spring Boot actuator is a dependency. * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured.	4.3.1 Affected by 0 other vulnerabilities.
VCID-wgh9-vus7-rfg2 Aliases: CVE-2025-41253 GHSA-fwxx-wv44-7qfg	Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes. * An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-5fa6-tx2k-eyad
Aliases:
CVE-2025-41243
GHSA-q2cj-h8fw-q4cc

Spring Expression language property modification using Spring Cloud Gateway Server WebFlux Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * Spring Boot actuator is a dependency. * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured.

4.3.1
Affected by 0 other vulnerabilities.

VCID-wgh9-vus7-rfg2
Aliases:
CVE-2025-41253
GHSA-fwxx-wv44-7qfg

Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes. * An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:48:10.428267+00:00	GitLab Importer	Affected by	VCID-wgh9-vus7-rfg2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.cloud/spring-cloud-gateway-server-webflux/CVE-2025-41253.yml	38.6.0
2026-06-02T04:47:49.047524+00:00	GitLab Importer	Affected by	VCID-5fa6-tx2k-eyad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.cloud/spring-cloud-gateway-server-webflux/CVE-2025-41243.yml	38.6.0

2026-06-02T04:48:10.428267+00:00

GitLab Importer

Affected by

VCID-wgh9-vus7-rfg2

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.cloud/spring-cloud-gateway-server-webflux/CVE-2025-41253.yml

38.6.0

2026-06-02T04:47:49.047524+00:00

GitLab Importer

Affected by

VCID-5fa6-tx2k-eyad

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.cloud/spring-cloud-gateway-server-webflux/CVE-2025-41243.yml

38.6.0

Next non-vulnerable version	4.3.1
Latest non-vulnerable version	4.3.1
Risk