HIGHRemediated

CVE-2025-8771

Actuator endpoint exposes internal metrics to unauthenticated requests

Technology

Spring Boot

CVSS Score

7.5 / 10.0

Affected Versions

2.7.0 – 2.7.17

Patched In

OSSeva for Spring Boot 2.7.18-osseva-1

Published

November 5, 2025

Remediated

November 20, 2025 (4mo ago)

Description

Spring Boot Actuator endpoints in 2.x are exposed without authentication when certain auto-configuration classes are present and security is not explicitly configured, leaking internal metrics, environment properties, and health details.

Is your Spring Boot deployment affected?

If you're running 2.7.0 – 2.7.17, you need this patch. Book a discovery call to get covered.

Book a discovery call View Spring Boot coverage →