Spring Cloud Config Server uses the configuration property spring.cloud.config.server.git.basedir to clone Git repositories. The default behavior is vulnerable to a time‑of‑check‑time‑of‑use flaw, allowing an attacker to manipulate the base directory and cause the server to clone repositories into arbitrary locations. This flaw can enable attackers to read, modify, or execute files outside the intended configuration directory, as inferred from the nature of the TOCTOU vulnerability, potentially leading to unauthorized data access or code execution. The weakness aligns with CWE‑367, a classic TOCTOU scenario.

The vulnerability affects all releases of Spring Cloud Config across versions 3.1.x (3.1.0 through 3.1.13), 4.1.x (4.1.0 through 4.1.9), 4.2.x (4.2.0 through 4.2.6), 4.3.x (4.3.0 through 4.3.2), and 5.0.x (5.0.0 through 5.0.2). For each series, upgrading to the indicated non‑affected release (e.g., 3.1.14, 4.1.10, 4.2.7, 4.3.3, or 5.0.3) mitigates the issue.

The CVSS base score of 7.4 classifies this flaw as high severity. Although an EPSS score is not available, the absence of an EPSS entry does not preclude exploitation; the flaw remains publicly known through Spring’s advisory. It is not currently listed in the CISA KEV catalog. The most likely attack path involves a remote actor instructing the Config Server to clone a Git repository via a crafted URL, leveraging the TOCTOU to redirect the clone into privileged or sensitive filesystem locations. Successful exploitation would grant the attacker unauthorized read/write access to arbitrary files on the Config Server host, as inferred from the potential misuse of the clone location.