CVE-2025-41253
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-10-16
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | spring_cloud_gateway | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-917 | The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Spring Cloud Gateway Server Webflux when certain conditions are met. Specifically, if the application uses Spring Cloud Gateway Server Webflux and allows an admin or untrusted third party to use Spring Expression Language (SpEL) in routes to access environment variables or system properties, attackers may be able to expose sensitive environment variables and system properties. This can happen if the actuator web endpoints for the gateway are enabled and exposed without proper security, allowing attackers to create routes that exploit SpEL to access this information.
How can this vulnerability impact me? :
The vulnerability can lead to exposure of sensitive environment variables and system properties to attackers. This could result in leakage of confidential configuration data, credentials, or other sensitive information stored in environment variables or system properties, potentially leading to unauthorized access or further exploitation of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, check if your application is using Spring Cloud Gateway Server Webflux and if the actuator endpoints related to the gateway are enabled and exposed without proper security. Specifically, verify if management.endpoints.web.exposure.include includes 'gateway' and if management.endpoint.gateway.enabled is true or management.endpoint.gateway.access is set to 'unrestricted'. Also, confirm if untrusted parties can create routes using Spring Expression Language (SpEL) to access environment variables or system properties. Commands to check configuration files or running processes for these settings can help, but no specific commands are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or securing the Spring Cloud Gateway Server Webflux actuator endpoints by ensuring that management.endpoints.web.exposure.include does not expose the 'gateway' endpoint publicly, setting management.endpoint.gateway.enabled to false if not needed, or restricting access to the actuator endpoints to trusted users only. Additionally, prevent untrusted third parties from creating routes that use Spring Expression Language (SpEL) to access environment variables or system properties.