CVE-2025-41235 Overview
CVE-2025-41235 affects Spring Cloud Gateway Server, which forwards X-Forwarded-For and Forwarded headers received from untrusted proxies. The flaw is classified under [CWE-444] (Inconsistent Interpretation of HTTP Requests). Downstream services that rely on these headers for client IP attribution, access control, or logging can be misled by attacker-supplied values. The issue requires no authentication and is reachable over the network. Spring published a security advisory tracking the bug.
Critical Impact
Attackers can spoof client IP addresses in downstream services, bypass IP-based access controls, and corrupt audit trails by injecting forged X-Forwarded-For or Forwarded headers through Spring Cloud Gateway.
Affected Products
- Spring Cloud Gateway Server (see vendor advisory for affected versions)
- Applications routing requests through Spring Cloud Gateway that consume forwarding headers
- Downstream services performing IP-based authorization behind the gateway
Discovery Timeline
- 2025-05-30 - CVE-2025-41235 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-41235
Vulnerability Analysis
Spring Cloud Gateway Server is a reactive API gateway that routes HTTP traffic to backend services. The gateway forwards the X-Forwarded-For and Forwarded headers from incoming requests without validating whether the upstream sender is a trusted proxy. Downstream applications typically interpret these headers as authoritative records of the original client IP and protocol chain.
When the gateway sits behind a load balancer or directly exposes endpoints to the internet, an attacker can supply arbitrary values in these headers. Because the gateway passes them through, backend services receive forged client identity data. Applications relying on header values for rate limiting, geolocation, or access control treat attacker-controlled input as trusted.
The vulnerability is a request smuggling and trust boundary issue rather than a memory safety flaw. Exploitation is reliable because HTTP header injection is deterministic and requires no privileges or user interaction. See the Spring Security Advisory CVE-2025-41235 for the authoritative vendor description.
Root Cause
The gateway does not strip or rewrite X-Forwarded-For and Forwarded headers from inbound requests originating from untrusted networks. It appends its own forwarding data while preserving the attacker-supplied values, breaking the chain of trust expected by backend consumers.
Attack Vector
An attacker sends an HTTP request to a Spring Cloud Gateway endpoint with crafted X-Forwarded-For: 10.0.0.1 or Forwarded: for=192.168.1.1;proto=https headers. The gateway routes the request downstream with those values intact. The backend then logs, authorizes, or restricts the request based on the spoofed IP rather than the true client address.
No authentication, no special tooling, and no client interaction are required. The attack works against any deployment where the gateway is exposed to untrusted networks and downstream services consume forwarding headers.
Detection Methods for CVE-2025-41235
Indicators of Compromise
- Inbound requests containing X-Forwarded-For or Forwarded headers from clients that should not be acting as proxies
- Backend application logs showing client IPs inconsistent with gateway access logs
- Authorization decisions or rate-limit bypasses keyed on internal or allowlisted IP ranges that the request did not originate from
Detection Strategies
- Compare the source IP recorded at the perimeter load balancer with the X-Forwarded-For value seen by backend services to flag mismatches
- Alert on inbound requests where the first hop in X-Forwarded-For falls inside RFC1918 ranges or matches known internal subnets
- Inspect Spring Cloud Gateway access logs for header values that change unexpectedly between the gateway and downstream tiers
Monitoring Recommendations
- Forward gateway and backend HTTP logs to a centralized analytics platform and correlate header chains across tiers
- Track sudden spikes in requests carrying Forwarded headers, which are uncommon in normal client traffic
- Monitor IP-based access control rules for unexpected matches that suggest spoofed forwarding headers
How to Mitigate CVE-2025-41235
Immediate Actions Required
- Upgrade Spring Cloud Gateway Server to the fixed version listed in the Spring Security Advisory CVE-2025-41235
- Audit backend services that consume X-Forwarded-For or Forwarded headers and confirm they validate the trusted proxy chain
- Restrict direct network access to the gateway so only known load balancers can reach it
Patch Information
Apply the Spring Cloud Gateway Server release identified in the vendor advisory. The fix changes how the gateway handles forwarding headers received from untrusted sources. Review the advisory for exact supported version numbers and backports before deploying.
Workarounds
- Configure an upstream proxy or load balancer to strip inbound X-Forwarded-For and Forwarded headers before they reach the gateway
- Add a GlobalFilter in Spring Cloud Gateway that removes these headers from requests originating outside a defined trusted CIDR range
- Disable IP-based authorization in backend services until the gateway is patched and the trust chain is verified
# Example: strip forwarding headers at the edge with nginx before requests reach Spring Cloud Gateway
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Forwarded "";
proxy_pass http://spring-cloud-gateway-upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
