CVE-2025-41235: 
Java vulnerability analysis and mitigation

Spring Cloud Gateway Server vulnerability (CVE-2025-41235) was discovered by Vilius Šumskas and publicly disclosed on May 27, 2025. The vulnerability affects Spring Cloud Gateway Server versions 2.2.10.RELEASE through 4.2.2 and 4.3.0 pre-release versions, as well as Spring Cloud Gateway Server MVC versions 4.1.7 through 4.2.2 and 4.3.0 pre-release versions (Spring Security).

The vulnerability is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests) and has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N. The technical issue involves the server forwarding X-Forwarded-For and Forwarded headers from untrusted proxies, which could potentially be exploited in HTTP request/response smuggling attacks (NVD, Wiz).

The vulnerability has a significant potential impact on system integrity, though there is no direct impact on confidentiality or availability. The high CVSS score indicates the severity of the potential security risks associated with the forwarding of headers from untrusted proxies (Spring Security, Wiz).

Users are advised to upgrade to the fixed versions: 4.3.0 (OSS), 4.2.3 (OSS), 4.1.8 (OSS), 4.0.12 (Commercial), or 3.1.10 (Commercial). After upgrading, users must set spring.cloud.gateway.trusted-proxies to a Java Regular Expression specifying trusted proxies. For those unable to upgrade immediately, a temporary workaround involves disabling the forwarded headers by setting spring.cloud.gateway.forwarded.enabled=false and spring.cloud.gateway.x-forwarded.enabled=false (Spring Security).

The Spring team has demonstrated a prompt response by releasing multiple fixed versions across different release lines, including both open-source and commercial versions. The vulnerability was announced through official Spring channels and addressed through a coordinated release strategy (Spring Blog).