CVE-2025-41243 is a critical vulnerability classified under CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement) and CWE-94 (Improper Control of Generation of Code). It affects Spring Cloud Gateway Server Webflux versions 3.1.x through 4.3.x when the Spring Boot actuator dependency is present and the gateway actuator web endpoint is enabled and exposed to attackers without authentication. The vulnerability arises because the actuator endpoints allow unauthenticated users to inject malicious Expression Language (EL) statements, enabling them to modify Spring Environment properties dynamically. This can lead to remote code execution, configuration manipulation, and full system compromise. The vulnerability does not affect Spring Cloud Gateway Server WebMVC. The CVSS v3.1 base score is 10.0, reflecting its critical severity with network attack vector, no required privileges or user interaction, and complete impact on confidentiality, integrity, and availability. Although no exploits have been observed in the wild yet, the ease of exploitation and potential impact make this a highly critical threat. The vulnerability was reserved in April 2025 and published in September 2025. The lack of available patches at the time of reporting increases the urgency for mitigations such as disabling or securing actuator endpoints.

The impact of CVE-2025-41243 is severe and far-reaching. Exploitation allows attackers to remotely execute arbitrary code or commands by injecting malicious expressions into the Spring Environment, leading to full system compromise. This can result in data breaches, service disruption, unauthorized access to sensitive configuration data, and potential lateral movement within enterprise networks. Organizations relying on Spring Cloud Gateway Server Webflux for API routing and microservice communication are at risk of having their infrastructure compromised, which can affect business continuity and data integrity. The vulnerability's criticality is heightened by the fact that it requires no authentication or user interaction and can be exploited remotely over the network. This makes it a prime target for attackers aiming to compromise cloud-native applications and services. The exposure of actuator endpoints without proper security controls significantly increases the attack surface. Industries such as finance, healthcare, telecommunications, and government agencies that use Spring Cloud Gateway extensively could face significant operational and reputational damage if exploited.

To mitigate CVE-2025-41243, organizations should immediately audit their Spring Cloud Gateway Server Webflux deployments to identify if the actuator endpoints are enabled and exposed. Specifically, verify if management.endpoints.web.exposure.include includes 'gateway' and whether these endpoints are accessible without authentication. If so, restrict access to actuator endpoints using network-level controls such as firewalls or VPNs, and enable authentication and authorization mechanisms for actuator endpoints. Disable the gateway actuator endpoint if it is not required. Monitor logs for suspicious access attempts to actuator endpoints. Apply the latest patches or updates from the Spring project as soon as they become available. Additionally, implement runtime application self-protection (RASP) or Web Application Firewalls (WAFs) with rules to detect and block Expression Language injection attempts. Conduct regular security assessments and penetration testing focused on actuator endpoint exposure. Educate developers and DevOps teams about the risks of exposing actuator endpoints in production environments. Finally, consider adopting a zero-trust approach to internal service communications to limit the impact of any potential compromise.