Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-40984: Micrometer HTTP server instrumentations DoS vulnerability
Description
In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.
Specifically, an application is vulnerable when all of the following are true:
- the application uses a vulnerable version of
io.micrometer:micrometer-core,micrometer-jetty11, ormicrometer-jetty12 - one or more of the HTTP server instrumentations from these artifacts are configured and metrics are recorded through the instrumentation
Affected Products and Versions
micrometer-core:
- 1.16.0 - 1.16.5
- 1.15.0 - 1.15.11
- 1.14.0 - 1.14.15
- 1.13.0 - 1.13.18
- 1.9.0 - 1.9.17
micrometer-jetty11:
- 1.16.0 - 1.16.5
- 1.15.0 - 1.15.11
- 1.14.0 - 1.14.15
- 1.13.0 - 1.13.18
micrometer-jetty12:
- 1.16.0 - 1.16.5
- 1.15.0 - 1.15.11
- 1.14.0 - 1.14.15
- 1.13.0 - 1.13.18
Versions that are no longer supported are also affected.
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 1.16.x | 1.16.6 | OSS |
| 1.15.x | 1.15.12 | OSS |
| 1.14.x | 1.14.16 | Enterprise Support Only |
| 1.13.x | 1.13.19 | Enterprise Support Only |
| 1.9.x | 1.9.18 | Enterprise Support Only |
No further mitigation steps are necessary.
Credit
The issue was identified and responsibly reported by Yu Bao (@August829) - [email protected] – who works for paypal.com.
References
History
- 2026-06-08: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all