Impact
The vulnerability resides in Micrometer’s gRPC server instrumentation, where a crafted gRPC request can exhaust server resources and lead to a denial of service. This weakness is a classic example of unvalidated input misuse (CWE-400), allowing an attacker to trigger excessive load without executing arbitrary code or elevating privileges.
Affected Systems
Affected products include Spring:Micrometer version 1.15.0 through 1.15.11 and 1.16.0 through 1.16.5. Any deployment of these Micrometer releases is susceptible to the DoS condition described.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity for denial of service. The EPSS score of < 1% suggests a very low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The lack of an authentication requirement in the description implies a likely remote exploit surface. The vulnerability is a resource exhaustion weakness that can affect availability but does not grant code execution or privilege escalation.
OpenCVE Enrichment