CVE-2025-53602
📋 TL;DR
Zipkin versions through 3.5.1 expose a /heapdump endpoint via Spring Boot Actuator that can be accessed without authentication. This allows attackers to retrieve sensitive memory contents including application data, credentials, and session information. Any organization running vulnerable Zipkin instances is affected.
💻 Affected Systems
- Zipkin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers extract sensitive application data, credentials, and cryptographic keys from memory, leading to complete system compromise and data exfiltration.
Likely Case
Unauthenticated attackers access heap dumps containing application configuration, user session data, and potentially sensitive business information.
If Mitigated
With proper network segmentation and authentication controls, the endpoint is inaccessible to unauthorized users, limiting exposure.
🎯 Exploit Status
Simple HTTP GET request to /heapdump endpoint. Similar to CVE-2025-48927 exploitation patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.2 and later
Vendor Advisory: https://github.com/openzipkin/zipkin/commit/3c7605dfdfab2dd341cf0ea121a56cefcd580d9e
Restart Required: Yes
Instructions:
1. Upgrade Zipkin to version 3.5.2 or later. 2. Update dependencies to ensure Spring Boot Actuator security patches are applied. 3. Restart the Zipkin service.
🔧 Temporary Workarounds
Disable /heapdump endpoint
allConfigure Spring Boot Actuator to disable the heapdump endpoint
management.endpoint.heapdump.enabled=false
Restrict actuator endpoints
allConfigure Spring Security to restrict access to actuator endpoints
Add security configuration to require authentication for /actuator/** endpoints
🧯 If You Can't Patch
- Implement network access controls to restrict access to Zipkin instances
- Deploy a web application firewall (WAF) to block requests to /heapdump endpoint
🔍 How to Verify
Check if Vulnerable:
Check if accessing http://[zipkin-host]:9411/heapdump returns a heap dump file without authenticationCheck Version:
Check Zipkin UI or logs for version information, or run: java -jar zipkin.jar --versionVerify Fix Applied:
Verify that requests to /heapdump endpoint return 404 or require authentication after patching📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /heapdump endpoint
- Large file downloads from /heapdump
Network Indicators:
- HTTP GET requests to /heapdump endpoint
- Unusual outbound traffic patterns after heapdump access
SIEM Query:
source="zipkin" AND (url="/heapdump" OR url="/actuator/heapdump")