Primary

Context

Zipkin Heap Dump Endpoint Exposure Vulnerability

Vulnerability

A vulnerability exists in Zipkin versions through 3.5.1, where the /heapdump endpoint is exposed. This endpoint is associated with Spring Boot Actuator, and its availability can lead to unauthorized access to sensitive application memory data. The issue is similar to CVE-2025-48927.

Impact

Exposing the /heapdump endpoint can lead to unauthorized access to sensitive memory data, potentially allowing for further exploitation of the application.

Remediation

Users can disable the /heapdump endpoint by excluding the 'org.springframework.boot.actuate.autoconfigure.management.HeapDumpWebEndpointAutoConfiguration' configuration property. Instructions for modifying the Zipkin configuration are available in the Zipkin documentation.

Added: Jul 4, 2025, 9:36 PM

Updated: Jul 4, 2025, 9:36 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

0.2

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

0.2

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zipkin Heap Dump Endpoint Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating