Miggo Logo
Miggo Vulnerability Database
CVE-2025-41253

CVE-2025-41253: Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-41253
GHSA ID
GHSA-fwxx-wv44-7qfg
EPSS Score
-
CWE
CWE-917
Published
10/16/2025
Updated
10/16/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.springframework.cloud:spring-cloud-gateway-server-webfluxmaven>= 3.1.0, <= 4.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis began by reviewing the vulnerability description, which indicated a Spring Expression Language (SpEL) injection vulnerability in Spring Cloud Gateway, allowing access to environment variables. The advisory mentioned that versions up to 4.3.0 were affected. External research confirmed that version 4.3.2 included the patch. By comparing the git tags for versions v4.3.1 and v4.3.2 in the spring-cloud/spring-cloud-gateway repository, the commit e083547c12d2fc45d701b6771efae7d7af019119 was identified as the security fix, titled "Adding custom BeanFactoryResolver".

An in-depth analysis of this commit pinpointed the vulnerability's root cause. The patch modifies org.springframework.cloud.gateway.support.ShortcutConfigurable.java. The normalize method within this class processes configuration for gateway components, which can involve evaluating SpEL expressions from user-provided route definitions.

The vulnerability existed because the SpEL evaluation context used a default BeanFactoryResolver, which did not restrict access to potentially sensitive beans like @systemProperties and @systemEnvironment. An attacker could exploit this by sending a crafted route definition to an exposed gateway actuator endpoint.

The patch addresses this by introducing a new inner class, GatewayBeanFactoryResolver, which overrides the resolve method to explicitly throw an AccessException if an attempt is made to resolve the systemEnvironment or systemProperties beans. The GatewayEvaluationContext, used by the normalize method, was updated to use this new restrictive resolver.

Therefore, org.springframework.cloud.gateway.support.ShortcutConfigurable.normalize is the identified vulnerable function. It is the method that orchestrates the evaluation of the malicious SpEL expression within a permissive context. During an exploit, this function would be present in the runtime profile or stack trace as it processes the malicious payload.

Vulnerable functions

org.springframework.cloud.gateway.support.ShortcutConfigurable.normalize
spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/support/ShortcutConfigurable.java
This function normalizes arguments for gateway filters and predicates, which can include Spring Expression Language (SpEL) expressions. Before the patch, it used a standard `BeanFactoryResolver` that allowed SpEL expressions to access sensitive beans like `@systemProperties` and `@systemEnvironment`. An attacker could craft a malicious route definition via an exposed actuator endpoint, causing this function to evaluate the SpEL expression and exfiltrate environment variables or system properties. The patch mitigates this by introducing a custom `GatewayBeanFactoryResolver` that blocks access to these sensitive beans.

WAF Protection Rules

WAF Rule

T** *ollowin* v*rsions o* Sprin* *lou* **t*w*y S*rv*r W***lux m*y ** vuln*r**l* to t** **ility to *xpos* *nvironm*nt v*ri**l*s *n* syst*m prop*rti*s to *tt**k*rs. *n *ppli**tion s*oul* ** *onsi**r** vuln*r**l* w**n *ll t** *ollowin* *r* tru*: *

Reasoning

T** *n*lysis ****n *y r*vi*win* t** vuln*r**ility **s*ription, w*i** in*i**t** * Sprin* *xpr*ssion L*n*u*** (Sp*L) inj**tion vuln*r**ility in Sprin* *lou* **t*w*y, *llowin* ****ss to *nvironm*nt v*ri**l*s. T** **visory m*ntion** t**t v*rsions up to *