PGV-2568629 - Spring Expression language property modification using Spring Cloud Gateway Server WebFluxDisclosed on September 16, 2025 (updated September 17, 2025)
While this vulnerability can provide a path to RCE, that path depends on an insecure and non-default Spring Cloud Gateway deployment where the Gateway Actuator endpoint is explicitly exposed, reachable by an attacker, and unsecured. Under an MVSP, publicly exposed unauthenticated actuator endpoints are not a normal baseline assumption, so the RCE path is configuration-dependent rather than directly exploitable in typical deployments.
PGV-2568629 is a category 4 vulnerabilty that affects org.springframework.cloud/spring-cloud-gateway-server-webflux, versions ≥ 3.1.0 & ≤ 3.1.10, ≥ 4.0.0 & ≤ 4.1.10, ≥ 4.2.0 & < 4.2.5, ≥ 4.3.0 & < 4.3.1
The risk assessment shows that this vulnerability is exlpoited by a external attacker. An unauthorized external actor who attempts to exploit this vulnerability without legitimate access.
The impact is an environmental compromise. Exploitation can escape the application boundary and impact the host environment, infrastructure, or other services.
The threat damage is caused by a denial of service. Exploitation can completely deny access to the application, resulting in a full outage.is caused by a data breach. Exploitation can result in full access to data within the system.is caused by data tampering. Exploitation can result in modification of any data (authorized or not) within the system.
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification.
An application should be considered vulnerable when all the following are true:
| Network Exposure | External Accessable from the public internet |
| Access Interface | WebBrowser Primarily web-based applications |
| Service Outage | Disruptive Operations would be impacted |
| Data Breach | Disruptive Operations would be impacted |
| Data Tampering | Disruptive Operations would be impacted |
| Customize | |
v2.0.5 © 2026 Inedo, LLC
