Critical Spring Cloud Gateway Vulnerabilities and How to Mitigate Them

On March 1, the official Spring blog released a report on Spring Cloud Gateway CVEs, highlighting a high‑risk and a medium‑risk vulnerability and urging users to upgrade to version 3.1.1+, 3.0.7+ or apply other mitigation measures.

CVE-2022-22947: Code Injection Vulnerability

Severity: Critical

Description: Applications using Spring Cloud Gateway are vulnerable to code injection via the Actuator endpoint when it is enabled, exposed, and unsecured, allowing attackers to execute arbitrary code on the remote host.

Affected Versions:

3.1.0

3.0.0 to 3.0.6

Other older versions

Mitigation:

3.1.x users should upgrade to 3.1.1+

3.0.x users should upgrade to 3.0.7+

If the Actuator endpoint is not needed, disable it with management.endpoint.gateway.enable:false If the Actuator endpoint is needed, protect it with Spring Security

CVE-2022-22946: HTTP2 Insecure TrustManager

Severity: Medium

Description: When HTTP/2 is enabled without configuring a keystore or trusted certificates, the application uses an insecure TrustManager, allowing the gateway to connect to remote services with invalid or custom certificates.

Affected Versions:

3.1.0

Mitigation:

3.1.x users should upgrade to 3.1.1+