Miggo Logo
Miggo Vulnerability Database
CVE-2025-41243

CVE-2025-41243: Spring Expression language property modification using Spring Cloud Gateway Server WebFlux

10

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-41243
GHSA ID
GHSA-q2cj-h8fw-q4cc
EPSS Score
-
CWE
CWE-94
Published
9/16/2025
Updated
9/16/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.springframework.cloud:spring-cloud-gateway-server-webfluxmaven>= 3.1.0, <= 3.1.10
org.springframework.cloud:spring-cloud-gateway-server-webfluxmaven>= 4.0.0, <= 4.1.10
org.springframework.cloud:spring-cloud-gateway-server-webfluxmaven>= 4.2.0, < 4.2.54.2.5
org.springframework.cloud:spring-cloud-gateway-server-webfluxmaven>= 4.3.0, < 4.3.14.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a Spring Expression Language (SpEL) injection vulnerability in the Spring Cloud Gateway actuator endpoint, which allows for property modification and potential remote code execution. The analysis of the commits between the last vulnerable version (4.3.0) and the first patched version (4.3.1) identified a security fix in commit b957599edcb26107d0e16d2675f7139a2be4d996. This commit modifies the ShortcutConfigurable.java file to disable property assignment in the SpEL EvaluationContext. The change is specifically within the constructor of the GatewayEvaluationContext inner class. This context is used when processing requests to the actuator. By not having assignment disabled, an attacker could provide a crafted SpEL expression that modifies application properties. The vulnerable function is the constructor org.springframework.cloud.gateway.support.ShortcutConfigurable$GatewayEvaluationContext.GatewayEvaluationContext, as it was responsible for creating the overly permissive evaluation context that enabled the vulnerability.

Vulnerable functions

org.springframework.cloud.gateway.support.ShortcutConfigurable$GatewayEvaluationContext.GatewayEvaluationContext
spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/support/ShortcutConfigurable.java
The constructor for `GatewayEvaluationContext` creates a `SimpleEvaluationContext` for SpEL (Spring Expression Language) evaluation. Before the patch, this context did not disable property assignment. This allowed an attacker to craft a request to the gateway actuator endpoint with a malicious SpEL expression that could modify Spring Environment properties, leading to remote code execution. The patch adds `.withAssignmentDisabled()` to the context builder to mitigate this.

WAF Protection Rules

WAF Rule

Sprin* *lou* **t*w*y S*rv*r W***lux m*y ** vuln*r**l* to Sprin* *nvironm*nt prop*rty mo*i*i**tion. *n *ppli**tion s*oul* ** *onsi**r** vuln*r**l* w**n *ll t** *ollowin* *r* tru*: * T** *ppli**tion is usin* Sprin* *lou* **t*w*y S*rv*r W***lux (Sp

Reasoning

T** vuln*r**ility is * Sprin* *xpr*ssion L*n*u*** (Sp*L) inj**tion vuln*r**ility in t** Sprin* *lou* **t*w*y **tu*tor *n*point, w*i** *llows *or prop*rty mo*i*i**tion *n* pot*nti*l r*mot* *o** *x**ution. T** *n*lysis o* t** *ommits **tw**n t** l*st v