Security Advisory: CVE-2025-41243, A critical vulnerability has been disclosed in Spring Cloud Gateway Server WebFlux. This vulnerability allows attackers to modify sensitive Spring Environment properties under specific configurations.

Severity	Critical
CVSS Score	10.0
CVEs	CVE-2025-41243
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

The vulnerability has been assigned the maximum CVSS score of 10.0. It arises when actuator endpoints are exposed without proper security controls, potentially allowing attackers to compromise application behavior. Organizations and users of affected versions are strongly urged to upgrade to the fixed releases. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Spring Expression Language Property Modification	CVE-2025-41243	Spring Cloud Gateway WebFlux	Critical	v4.3.1,   v4.2.5, v4.1.11, v3.1.11

Technical Summary 

CVE-2025-41243 is a critical vulnerability occurs when the Spring Boot actuator is included as a dependency and the gateway actuator endpoint is explicitly exposed via the “management.endpoints.web.exposure.include=gateway” configuration.

In such cases, if actuator endpoints are unsecured or exposed to public networks, an attacker could exploit them to modify Spring Environment properties at runtime. This could cause unauthorized access, configuration tampering, and potential application compromise. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-41243	4.3.0 – 4.3.x 4.2.0 – 4.2.x 4.1.0 – 4.1.x 4.0.0 – 4.0.x 3.1.0 – 3.1.x Older, unsupported versions	Improperly secured actuator endpoints in Spring Cloud Gateway WebFlux allow unauthorized modification of Spring Environment properties.	Unauthorized access potential privilege escalation

Remediation – 

Upgrade Immediately patch to fixed versions: 

Affected Version Range	Upgrade To
4.3.x	4.3.1
4.2.x	4.2.5
4.1.x and 4.0.x	4.1.11
3.1.x	3.1.11
Unsupported versions	Migrate to a supported release

If you are unable to upgrade right now, here are the recommendations below 

• Remove gateway from the “management.endpoints.web.exposure.include” property or secure the actuator endpoints. 

• Secure actuator endpoints with proper authentication and access controls. 

• Regularly audit and harden application configuration files. 

• Monitor application and network logs for suspicious activity or unauthorized access attempts. 

• Implement firewall rules or reverse proxies to restrict access to sensitive endpoints. 

• Ensure all systems follow patch management and update policies. 

Conclusion 
CVE-2025-41243 is a critical vulnerability affecting Spring Cloud Gateway WebFlux, allowing remote attackers to modify environment properties when actuator endpoints are misconfigured and exposed.

While no active exploitation has been observed in the wild, vulnerability poses a high risk to application integrity and security due to its CVSS score of 10.0 and ease of exploitation in exposed systems.

Organizations are strongly advised to upgrade to the fixed versions, secure actuator endpoints, and follow best practices to reduce attack surface and prevent future exploitation. 

References 

• https://spring.io/security/cve-2025-41243 

• https://securityonline.info/cve-2025-41243-cvss-10-critical-spring-cloud-gateway-server-webflux-flaw-exposes-property-modification-risk/