Impact
Micrometer, a popular Java library used in Spring for application monitoring, contains an input validation weakness that allows an attacker to send specially constructed HTTP requests. When processed, these requests consume excessive server resources and can exhaust the medium, leading to a denial of service that blocks legitimate traffic.
Affected Systems
The flaw is present in Spring Micrometer’s core and Jetty integrations. Affected versions include micrometer-core 1.9.0‑1.9.17, 1.13.0‑1.13.18, 1.14.0‑1.14.15, 1.15.0‑1.15.11, and 1.16.0‑1.16.5; and micrometer‑jetty11 and micrometer‑jetty12 in the same version ranges.
Risk and Exploitability
The CVSS score of 7.5 classifies this as a high‑severity vulnerability. The EPSS score of 0.00416 indicates a very low probability of exploitation. While the vulnerability is not listed in the CISA KEV catalog, its existence that exploitation could still occur, especially if the vulnerable middleware is exposed to the internet. The attack and unauthenticated; an attacker can trigger the denial of service by sending crafted HTTP requests to any Micrometer‑instrumented endpoint.
OpenCVE Enrichment