Impact
Spring Cloud Gateway, used with both WebMVC and WebFlux, incorrectly forwards X-Forwarded-For and Forwarded headers when established behind proxies that are not explicitly trusted. The CVE description notes only that the gateway forwards these headers; based on that, it is inferred that an attacker controlling a malicious proxy can insert or modify these headers to mislead downstream applications. If an application relies on the client IP for access control or other logic, this can lead to bypassing policy checks, user impersonation, and other privilege-escalation scenarios. The flaw corresponds to Missing Authentication for API (CWE-346) and Information Exposure (CWE-501).
Affected Systems
Affected versions include Spring Cloud Gateway 3.1.x (fixed in 3.1.13), 4.1.x (fixed in 4.1.13), 4.2.x (fixed in 4.2.9), 4.3.x (fixed in 4.3.5), and 5.0.x (fixed in 5.0.2). Systems running any of these unpatched releases are vulnerable.
Risk and Exploitability
Based on the description, the likely attack vector is the deployment of a compromised or malicious proxy that can inject forged headers, which does not require special application credentials. The CVSS score of 8.6 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild as of the last update. The vulnerability is not listed in CISA’s KEV catalog, which means there are no known exploited instances reported.
OpenCVE Enrichment