CVE-2025-41253

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers.<br /> <br /> An application should be considered vulnerable when all the following are true:<br /> <br /> * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable).<br /> * An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes.<br /> * An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte.<br /> * The actuator endpoints are available to attackers.<br /> * The actuator endpoints are unsecured.