Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.
Affected versions: micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17. micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18. micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.
AnalysisAI
Denial-of-service in Micrometer (micrometer-core, micrometer-jetty11, and micrometer-jetty12) allows remote unauthenticated attackers to exhaust resources by sending specially crafted HTTP requests against applications that expose Micrometer-instrumented endpoints. The flaw affects a wide swath of supported 1.9.x through 1.16.x release lines and carries a CVSS 7.5 (availability-only) impact. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
Micrometer is the de facto application metrics facade for the JVM, used by Spring Boot and many Jetty-based services to expose observability data (counters, timers, distributions) to backends like Prometheus, Datadog, and others. The micrometer-jetty11/jetty12 modules instrument the Jetty 11 and 12 HTTP server request lifecycle, meaning crafted request attributes (URI path, headers, or routing metadata) are processed during metric tagging. The CWE-400 (Uncontrolled Resource Consumption) classification indicates that some request-derived input is allowed to inflate cardinality, allocate unbounded structures, or otherwise consume CPU/memory disproportionately to the request size, which is a classic pitfall for HTTP metric instrumentation libraries that derive tags from request data.
RemediationAI
Upgrade to a fixed Micrometer release line above the listed affected ranges - i.e., beyond 1.9.17 on the 1.9.x line, beyond 1.13.18, 1.14.15, 1.15.11, and 1.16.5 on their respective maintenance branches - by consulting the Spring advisory at https://spring.io/security/cve-2026-40984 for the exact patched build numbers, since exact fix versions are not enumerated in the supplied data (Patch available per vendor advisory). Because Micrometer is almost always pulled in transitively by Spring Boot or other frameworks, audit your dependency tree (mvn dependency:tree / gradle dependencies) and override the micrometer-core, micrometer-jetty11, and micrometer-jetty12 versions explicitly. As a compensating control until patching, place the affected service behind a reverse proxy or WAF that enforces strict URI length, header size, and request-rate limits, and restrict exposure of any /actuator or metrics endpoints to internal networks only; note this does not stop the DoS if any instrumented HTTP path is publicly reachable, since the vulnerability is triggered during request instrumentation rather than at the metrics endpoint itself.
More in Micrometer
View allSame weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35320
GHSA-g3pr-3p32-fp23