Medium severity5.3OSV Advisory· Published Jul 4, 2025· Updated Apr 15, 2026

CVE-2025-53602

Description

Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
io.zipkin:zipkin-serverMaven	<= 3.5.1	—

Affected products

Openzipkin/ZipkinOSV
Range: 1.0.0, 1.1.0, 1.1.3, …

Patches

3c7605dfdfab

Disable Spring Boot Actuator /heapdump endpoint (#3804)

https://github.com/openzipkin/zipkinAndriy RedkoJun 14, 2025via ghsa

commit

2 files changed · +2 −2

docker/test-images/zipkin-mysql/Dockerfile+1 −1 modified

@@ -28,7 +28,7 @@ HEALTHCHECK --interval=1s --start-period=30s --timeout=5s CMD ["docker-healthche
 ENTRYPOINT ["start-mysql"]
 
 # Use latest from https://pkgs.alpinelinux.org/packages?name=mysql (without the -r[0-9])
-ARG mysql_version=11.4.5-r2
+ARG mysql_version=11.4.7-r0
 LABEL mysql-version=$mysql_version
 ENV MYSQL_VERSION=$mysql_version

zipkin-server/src/main/resources/zipkin-server-shared.yml+1 −1 modified

@@ -106,7 +106,6 @@ zipkin:
         - org.springframework.boot.actuate.autoconfigure.context.properties.ConfigurationPropertiesReportEndpointAutoConfiguration
         - org.springframework.boot.actuate.autoconfigure.endpoint.EndpointAutoConfiguration
         - org.springframework.boot.actuate.autoconfigure.env.EnvironmentEndpointAutoConfiguration
-        - org.springframework.boot.actuate.autoconfigure.management.HeapDumpWebEndpointAutoConfiguration
         - org.springframework.boot.actuate.autoconfigure.logging.LoggersEndpointAutoConfiguration
         - org.springframework.boot.actuate.autoconfigure.management.ThreadDumpEndpointAutoConfiguration
 
@@ -232,6 +231,7 @@ spring:
     # NOTE: These exclusions can drift between Spring Boot minor versions. Audit accordingly.
     # Ex. curl -s localhost:9411/actuator/beans|jq '.contexts.application.beans|keys_unsorted[]'|sort
     exclude:
+      - org.springframework.boot.actuate.autoconfigure.management.HeapDumpWebEndpointAutoConfiguration
       # JMX is disabled
       - org.springframework.boot.actuate.autoconfigure.endpoint.jmx.JmxEndpointAutoConfiguration
       # /health and /actuator/health served directly by Armeria

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-794x-8x6x-qpfcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-53602ghsaADVISORY
github.com/openzipkin/zipkin/commit/3c7605dfdfab2dd341cf0ea121a56cefcd580d9envdWEB
github.com/openzipkin/zipkin/pull/3804nvdWEB
zipkin.ioghsaWEB
zipkin.ionvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000