|
Vulnerabilities
< Back

CVE-2026-40984

Updated on 08 Jun 2026

Severity

7.5 High severity

Details

CVSS score
7.5
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

SVG ImageDescription

In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  • the application uses a vulnerable version of io.micrometer:micrometer-core, micrometer-jetty11, or micrometer-jetty12
  • one or more of the HTTP server instrumentations from these artifacts are configured and metrics are recorded through the instrumentation

SVG ImageAffected Products and Versions

micrometer-core:

  • 1.16.0 - 1.16.5
  • 1.15.0 - 1.15.11
  • 1.14.0 - 1.14.15
  • 1.13.0 - 1.13.18
  • 1.9.0 - 1.9.17

micrometer-jetty11:

  • 1.16.0 - 1.16.5
  • 1.15.0 - 1.15.11
  • 1.14.0 - 1.14.15
  • 1.13.0 - 1.13.18

micrometer-jetty12:

  • 1.16.0 - 1.16.5
  • 1.15.0 - 1.15.11
  • 1.14.0 - 1.14.15
  • 1.13.0 - 1.13.18

Versions that are no longer supported are also affected.

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
1.16.x 1.16.6 OSS
1.15.x 1.15.12 OSS
1.14.x 1.14.16 Enterprise Support Only
1.13.x 1.13.19 Enterprise Support Only
1.9.x 1.9.18 Enterprise Support Only

No further mitigation steps are necessary.

SVG ImageCredit

The issue was identified and responsibly reported by Yu Bao (@August829) - [email protected] – who works for paypal.com.

SVG ImageReferences

SVG ImageHistory

  • 2026-06-08: Initial vulnerability report published.

Details

SVG ImageDescription

In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

  • the application uses a vulnerable version of io.micrometer:micrometer-core, micrometer-jetty11, or micrometer-jetty12
  • one or more of the HTTP server instrumentations from these artifacts are configured and metrics are recorded through the instrumentation

SVG ImageAffected Products and Versions

micrometer-core:

  • 1.16.0 - 1.16.5
  • 1.15.0 - 1.15.11
  • 1.14.0 - 1.14.15
  • 1.13.0 - 1.13.18
  • 1.9.0 - 1.9.17

micrometer-jetty11:

  • 1.16.0 - 1.16.5
  • 1.15.0 - 1.15.11
  • 1.14.0 - 1.14.15
  • 1.13.0 - 1.13.18

micrometer-jetty12:

  • 1.16.0 - 1.16.5
  • 1.15.0 - 1.15.11
  • 1.14.0 - 1.14.15
  • 1.13.0 - 1.13.18

Versions that are no longer supported are also affected.

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
1.16.x 1.16.6 OSS
1.15.x 1.15.12 OSS
1.14.x 1.14.16 Enterprise Support Only
1.13.x 1.13.19 Enterprise Support Only
1.9.x 1.9.18 Enterprise Support Only

No further mitigation steps are necessary.

SVG ImageCredit

The issue was identified and responsibly reported by Yu Bao (@August829) - [email protected] – who works for paypal.com.

SVG ImageReferences

SVG ImageHistory

  • 2026-06-08: Initial vulnerability report published.