HeroDevs

Spring Cloud Gateway 3.0.x Release Notes

1 version

Comprehensive release notes and changelog for Spring Cloud Gateway 3.0.x, including security patches, bug fixes, and feature updates across all supported versions.

Mar 11, 2026

Latest: 3.0.9

7 Patched Vulnerabilities

VEX Statements

March 2026

3.0.9

Released last Wednesday

CVE-2025-41235

CVE-2025-41253

Full Version:

3.0.8-spring-cloud-gateway-3.0.9

Bug Fixes

This release patches the following:
- Server forwards headers from untrusted proxies (CVE-2025-41235). X-Forwarded-* and Forwarded headers are disabled by default. If your application relies on these headers, you must configure trusted proxies after upgrading:
  - For Spring Cloud Gateway Server: spring.cloud.gateway.trusted-proxies=10\.0\.0\..*
  - For Spring Cloud Gateway Server MVC: spring.cloud.gateway.mvc.trusted-proxies=10\.0\.0\..*
- Environment modification vulnerability (CVE-2025-41253).

Notes

This release originates from the open‑source Spring Cloud Gateway repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Cloud Gateway 3.0.8.

Dependency Upgrades

Spring Cloud Build (NES) 3.0.5-spring-cloud-build-3.0.6
Spring Cloud CircuitBreaker (NES) 2.0.3-spring-cloud-circuitbreaker-2.0.4
Spring Cloud Commons (NES) 3.0.6-spring-cloud-commons-3.0.7

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team