¡¾Îó²îͨ¸æ¡¿Spring Cloud Gateway ±í´ïʽעÈëÎó²î(CVE-2025-41253)

Ðû²¼Ê±¼ä 2025-11-11

Ò»¡¢Îó²î¸ÅÊö


Îó²îÃû³Æ

Spring Cloud Gateway ±í´ïʽעÈëÎó²î

CVE   ID

CVE-2025-41253

Îó²îÀàÐÍ

±í´ïʽעÈë

·¢Ã÷ʱ¼ä

2025-11-11

Îó²îÆÀ·Ö

7.5

Îó²îÆ·¼¶

¸ßΣ

¹¥»÷ÏòÁ¿

ÍøÂç

ËùÐèȨÏÞ

ÎÞ

ʹÓÃÄѶÈ

µÍ

Óû§½»»¥

²»ÐèÒª

PoC/EXP

ÒѹûÕæ

ÔÚҰʹÓÃ

δ·¢Ã÷


Spring Cloud GatewayÊÇ»ùÓÚSpring Framework 5¡¢Project ReactorºÍSpring Boot 2¼°ÒÔÉÏ°æ±¾¹¹½¨µÄ¸ßÐÔÄÜÍø¹Ø¿ò¼Ü£¬£¬ £¬£¬£¬£¬ÓÃÓÚÌṩͳһµÄAPI·ÓÉ¡¢¸ºÔØƽºâ¡¢ÏÞÁ÷¡¢¼à¿ØºÍÇå¾²¿ØÖƵȹ¦Ð§¡£¡£ ¡£¡£¡£¡£Ëüͨ¹ý·´Ó¦Ê½±à³ÌÄ£×Ó£¨WebFlux£©ÊµÏÖÒì²½·ÇÛÕ±Õ´¦Öóͷ££¬£¬ £¬£¬£¬£¬ÊÊÓÃÓÚ΢ЧÀͼܹ¹Ïµĸ߲¢·¢³¡¾°¡£¡£ ¡£¡£¡£¡ £¿£¿ª·¢Õß¿Éͨ¹ýÉèÖûò´úÂë·½·¨ÎÞа½ç˵·ÓɹæÔò¡¢¹ýÂËÆ÷Á´¼°È¨ÏÞÕ½ÂÔ£¬£¬ £¬£¬£¬£¬´Ó¶øʵÏÖÇëÇóת·¢¡¢Á÷Á¿ÖÎÀíÓëÇå¾²·À»¤µÈ½¹µã¹¦Ð§£¬£¬ £¬£¬£¬£¬ÊÇSpring Cloud΢ЧÀÍÉú̬µÄÖ÷Òª×é¼þÖ®Ò»¡£¡£ ¡£¡£¡£¡£


2025Äê11ÔÂ11ÈÕ£¬£¬ £¬£¬£¬£¬ÄϹ¬NGÓéÀÖ¼¯ÍÅVSRC¼à²âµ½Ò»¸öÓ°ÏìSpring Cloud Gateway Server£¨½öÏÞWebFlux°æ±¾£©µÄ±í´ïʽעÈëÎó²î¡£¡£ ¡£¡£¡£¡£µ±Ó¦ÓÃÔÚ·ÓÉÉèÖÃÖÐʹÓÃSpring Expression Language£¨SpEL£©ÇÒ̻¶ÁËδ¾­»á¼û¿ØÖƵÄActuator gateway¶Ëµãʱ£¬£¬ £¬£¬£¬£¬¹¥»÷Õß¿Éͨ¹ý½á¹¹¶ñÒâ·Óɱí´ïʽ£¬£¬ £¬£¬£¬£¬¶ÁȡϵͳÇéÐαäÁ¿ºÍϵͳÊôÐÔ£¬£¬ £¬£¬£¬£¬´Ó¶øÔì³ÉÃô¸ÐÐÅϢй¶¡£¡£ ¡£¡£¡£¡£¸ÃÎó²îµÄ´¥·¢Ìõ¼þ°üÀ¨£ºÆôÓÃmanagement.endpoints.web.exposure.include=gatewayÓëmanagement.endpoint.gateway.enabled=true£¨»òmanagement.endpoint.gateway.access=unrestricted£©£¬£¬ £¬£¬£¬£¬ÇÒÏà¹ØActuator½Ó¿Ú¿É±»Íⲿ»á¼û¡£¡£ ¡£¡£¡£¡£


¶þ¡¢Ó°Ïì¹æÄ£


4.3.0 <= Spring Cloud Gateway < 4.3.2
4.2.0 <= Spring Cloud Gateway < 4.2.6
4.1.0 <= Spring Cloud Gateway < 4.1.12
4.0.0 <= Spring Cloud Gateway < 4.0.12
3.1.0 <= Spring Cloud Gateway < 3.1.12
½Ï¾É¡¢²»ÊÜÖ§³ÖµÄ°æ±¾Ò²»áÊܵ½Ó°Ïì


Èý¡¢Çå¾²²½·¥


3.1 Éý¼¶°æ±¾


¹Ù·½ÒÑÐû²¼ÐÞ¸´²¹¶¡£¬£¬ £¬£¬£¬£¬ÒÔÐÞ¸´¸ÃÎó²î¡£¡£ ¡£¡£¡£¡£
Spring Cloud Gateway >= 4.3.2
Spring Cloud Gateway >= 4.2.6
Spring Cloud Gateway >= 4.1.12
Spring Cloud Gateway >= 4.0.12
Spring Cloud Gateway >= 3.1.12


ÏÂÔØÁ´½Ó£ºhttps://spring.io/projects/spring-cloud-gateway/


3.2 ÔÝʱ²½·¥


´ÓÉèÖÃÖÐɾ³ý management.endpoints.web.exposure.include ÊôÐÔÖÐµÄ gateway»ò¼Ó¹Ì Actuator ¶ËµãÇå¾²¡£¡£ ¡£¡£¡£¡£


3.3 ͨÓý¨Òé


? °´ÆÚ¸üÐÂϵͳ²¹¶¡£¬£¬ £¬£¬£¬£¬ïÔ̭ϵͳÎó²î£¬£¬ £¬£¬£¬£¬ÌáÉýЧÀÍÆ÷µÄÇå¾²ÐÔ¡£¡£ ¡£¡£¡£¡£
ÔöǿϵͳºÍÍøÂçµÄ»á¼û¿ØÖÆ£¬£¬ £¬£¬£¬£¬Ð޸ķÀ»ðǽսÂÔ£¬£¬ £¬£¬£¬£¬¹Ø±Õ·ÇÐëÒªµÄÓ¦Óö˿ڻòЧÀÍ£¬£¬ £¬£¬£¬£¬ïÔÌ­½«Î£ÏÕЧÀÍ£¨ÈçSSH¡¢RDPµÈ£©Ì»Â¶µ½¹«Íø£¬£¬ £¬£¬£¬£¬ïÔÌ­¹¥»÷Ãæ¡£¡£ ¡£¡£¡£¡£
ʹÓÃÆóÒµ¼¶Çå¾²²úÆ·£¬£¬ £¬£¬£¬£¬ÌáÉýÆóÒµµÄÍøÂçÇå¾²ÐÔÄÜ¡£¡£ ¡£¡£¡£¡£
ÔöǿϵͳÓû§ºÍȨÏÞÖÎÀí£¬£¬ £¬£¬£¬£¬ÆôÓöàÒòËØÈÏÖ¤»úÖƺÍ×îСȨÏÞÔ­Ôò£¬£¬ £¬£¬£¬£¬Óû§ºÍÈí¼þȨÏÞÓ¦¼á³ÖÔÚ×îµÍÏ޶ȡ£¡£ ¡£¡£¡£¡£
ÆôÓÃÇ¿ÃÜÂëÕ½ÂÔ²¢ÉèÖÃΪ°´ÆÚÐ޸ġ£¡£ ¡£¡£¡£¡£


3.4 ²Î¿¼Á´½Ó


https://spring.io/security/cve-2025-41253/