spring-cloud-netflix-zuul is vulnerable to authorization bypass. An attacker is able to send a request containing a malicious URL to bypass the “Sensitive Headers” restrictions. Applications using Spring Security’s StrictHttpFirewall (enabled by default for all URLs) are not affected by this vulnerability.