Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN635
_____________________________________________________________________

DATE                : 15/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring Cloud Gateway versions
      prior to 3.1.13, 4.1.13, 4.2.9, 4.3.4.1, 4.3.5, 5.0.1.1, 5.0.2.

=====================================================================
https://spring.io/security/cve-2026-47825/
_____________________________________________________________________

CVE-2026-47825: Spring Cloud Gateway Server Forwards Headers from
Untrusted Proxies in certain situations

HIGH | JUNE 11, 2026 | CVE-2026-47825
Description

Spring Cloud Gateway Server forwards the X-Forwarded-For and
Forwarded headers from untrusted proxies in certain configuration
scenarios.
This affects both the WebMVC and WebFlux Gateway Servers.


Affected Spring Products and Versions

Spring Cloud Gateway:

    3.1.x
    4.1.x
    4.2.x
    4.3.x
    5.0.x
    Older, unsupported versions are also affected


Mitigation

Users of affected versions should upgrade to the corresponding fixed
version.

Affected version(s) 	Fix version 	Availability

3.1.x 	3.1.13 	Enterprise Support Only
4.1.x 	4.1.13 	Enterprise Support Only
4.2.x 	4.2.9 	Enterprise Support Only
4.3.x 	4.3.4.1, 4.3.5 	OSS
5.0.x 	5.0.1.1, 5.0.2 	OSS

As part of this fix, the Spring Cloud Gateway Server WebFlux
NettyServerCustomizer has been disabled by default. If you require
this to be enabled, please
set spring.cloud.gateway.server.webflux.httpserver.customizer-enabled=true
for versions 5.0.x or 4.3.x if you have migrated to the new properties
namespace, or spring.cloud.gateway.httpserver.customizer-enabled=true
for 4.3.x if you have not migrated to the new properties namespace
and for 4.2.x and 3.1.x.


Credit

The issue was identified and responsibly reported by samarthd.


References

    https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N&version=3.1


History

    2026-06-11: Original vulnerability report published.
    2026-06-12: Updated Fix version for 4.1.x from 4.2.9 to 4.1.13.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================