Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Remote single-request Host-header spoof with no auth or UI; high confidentiality from actuator data exposure, low integrity from writable actuators, no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on an alternate port (Management:Endpoints:Port is configured), the middleware responsible for restricting access to the endpoints uses the Host HTTP header rather than the actual network socket port. Versions 3.4.0 and 4.2.0 patch the issue. If an immediate upgrade to a patched version is not possible, add explicit ASP.NET Core authorization (RequireAuthorization) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation and/or configure the reverse proxy or load balancer to enforce the Host header value and prevent clients from setting an arbitrary port.
AnalysisAI
Improper authentication in Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 allows remote unauthenticated attackers to reach actuator endpoints intended to be isolated on a separate management port by spoofing the HTTP Host header. The middleware trusted the client-supplied Host header port instead of the actual TCP socket port, defeating port-based access restrictions and enabling information disclosure from sensitive actuator endpoints. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target application must be running Steeltoe Management 3.2.2-3.3.0 or 4.1.0 with the Management:Endpoints:Port configuration key set to a value different from the main application port (i.e., the alternate-management-port deployment pattern). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (8.2 High) accurately reflects a network-reachable, unauthenticated, single-request bypass with high confidentiality impact (actuators frequently expose environment variables, configuration, heap dumps, and trace data) and limited integrity impact (some actuators allow state changes such as log-level adjustments). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the application's public HTTP port sends a normal GET to /actuator/env (or any other sensitive actuator path) while setting the Host header to host:9090, where 9090 is the configured management port. The middleware parses the spoofed port from the Host header, concludes the request arrived on the management port, and serves the actuator response over the public socket - leaking environment variables, configuration, and other sensitive runtime data. … |
| Remediation | Vendor-released patch: upgrade Steeltoe Management to 3.4.0 (3.x line) or 4.2.0 (4.x line), which replace the Host-header-port check with context.Connection.LocalPort per commits https://github.com/SteeltoeOSS/Steeltoe/commit/4cbc352fe89ac2e6c609554e435ab28996fec5e9 and https://github.com/SteeltoeOSS/Steeltoe/commit/b7ca93c510aaa08d7e4ebec40ce20c5811c2c4b6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Steeltoe versions 3.2.2-3.3.0 or 4.1.0 via configuration management and asset inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Steeltoe Management Endpoint
View allSensitive credential disclosure in Steeltoe.Management.Endpoint before 4.2.0 and Steeltoe.Management.EndpointCore before
Sensitive actuator endpoints in Steeltoe.Management.Endpoint and Steeltoe.Management.EndpointCore expose heap dumps, env
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37801
GHSA-58f6-6rj2-3v8r