IP address spoofing in Spring Cloud Gateway Server

1) Insufficient verification of data authenticity

EUVDB-ID: #VU109961

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-41235

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

Exploit availability: No

Description

The vulnerability allows a remote attacker to spoof requests origin.

The vulnerability exists due to the Spring Cloud Gateway accepts the X-Forwarded-* and Forwarded header from untrusted proxies. A remote attacker can manipulate the header information and spoof the IP address of the request source.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Spring Cloud Gateway: 2.2.10 - 4.3.0 RC1

CPE2.3

• cpe:2.3:a:vmware:spring_cloud_gateway:2.2.10:*:*:*:*:*:*:*
• cpe:2.3:a:vmware:spring_cloud_gateway:3.0.0.M1:*:*:*:*:*:*:*
• cpe:2.3:a:vmware:spring_cloud_gateway:3.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:vmware:spring_cloud_gateway:3.0.0-M2:*:*:*:*:*:*:*
• cpe:2.3:a:vmware:spring_cloud_gateway:3.0.0-M3:*:*:*:*:*:*:*
• cpe:2.3:a:vmware:spring_cloud_gateway:3.0.0-M4:*:*:*:*:*:*:*
• cpe:2.3:a:vmware:spring_cloud_gateway:3.0.0-M5:*:*:*:*:*:*:*
• cpe:2.3:a:vmware:spring_cloud_gateway:3.0.0-M6:*:*:*:*:*:*:*
• cpe:2.3:a:vmware:spring_cloud_gateway:3.0.0:RC1:*:*:*:*:*:*
• cpe:2.3:a:vmware:spring_cloud_gateway:3.0.1:*:*:*:*:*:*:*

External links

https://spring.io/security/cve-2025-41235

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.