CVE-2025-41235
📋 TL;DR
Spring Cloud Gateway Server improperly forwards X-Forwarded-For and Forwarded headers from untrusted proxies, allowing attackers to spoof client IP addresses. This affects systems using Spring Cloud Gateway as a reverse proxy with header forwarding enabled. The vulnerability enables IP spoofing and potential bypass of IP-based security controls.
💻 Affected Systems
- Spring Cloud Gateway
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass IP-based authentication, rate limiting, and access controls, potentially gaining unauthorized access to backend services or performing account takeover.
Likely Case
IP spoofing allowing bypass of geolocation restrictions, rate limiting evasion, or manipulation of logging/auditing systems.
If Mitigated
Limited impact if proper network segmentation and additional authentication layers are in place.
🎯 Exploit Status
Exploitation requires sending specially crafted headers to the gateway.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Spring Security advisory for specific patched versions
Vendor Advisory: https://spring.io/security/cve-2025-41235
Restart Required: Yes
Instructions:
1. Review the Spring Security advisory for affected versions
2. Upgrade to the patched version of Spring Cloud Gateway
3. Restart the gateway service
4. Verify header forwarding behavior
🔧 Temporary Workarounds
Configure trusted proxies
allConfigure Spring Cloud Gateway to only accept headers from trusted proxy IP addresses
spring.cloud.gateway.forwarded.trusted-proxies=192.168.1.0/24,10.0.0.0/8
Disable header forwarding
allDisable forwarding of X-Forwarded-For and Forwarded headers if not required
spring.cloud.gateway.forwarded.enabled=false
🧯 If You Can't Patch
- Implement network-level controls to restrict which upstream systems can communicate with the gateway
- Add additional authentication/authorization layers that don't rely solely on client IP addresses
🔍 How to Verify
Check if Vulnerable:
Check if Spring Cloud Gateway is forwarding X-Forwarded-For or Forwarded headers from untrusted sourcesCheck Version:
Check application properties or consult Spring Boot Actuator /info endpointVerify Fix Applied:
Test with crafted headers from untrusted IPs to ensure they are not forwarded📡 Detection & Monitoring
Log Indicators:
- Unusual IP addresses in forwarded headers
- Requests with spoofed X-Forwarded-For headers
Network Indicators:
- Traffic from unexpected sources reaching backend services
- Header manipulation attempts
SIEM Query:
source_ip NOT IN trusted_proxies AND http.headers.x-forwarded-for EXISTS