Spring Cloud Config Server processes profile substitution requests, mapping profile names to files in its search directories. The resolution step accepts unvalidated paths, enabling an attacker to craft a profile value that traverses directories or specifies arbitrary file paths. This allows the attacker to read host files outside the intended configuration directory, potentially exposing sensitive data. The flaw is a file path traversal vulnerability (CWE‑22) and, because the server may attempt to resolve URLs contained in the profile data, it can also facilitate server‑side request forgery attacks against internal or external resources.

Versions of the Spring Cloud framework before 3.1.13, 4.1.9, 4.2.3, 4.3.2, or 5.0.2 are vulnerable when the Config Server is configured to use the native file system as its backend for profile storage. The issue does not affect configurations using other backends or later releases of these major lines.

The impact score of 8.6 indicates high severity. With an EPSS value below 1 percent and no current listing in the known exploited vulnerabilities catalog, the likelihood of recent exploitation is low, yet the vulnerability can be exploited remotely by sending crafted HTTP requests to the profile endpoint. No local privileges are required and the compromise is limited to the host running the configuration server, although the SSRF potential could extend damage to internal network resources.