CVE-2026-40984

Vulnerability

In Micrometer, specifically within the micrometer-core, micrometer-jetty11, and micrometer-jetty12 artifacts, a denial-of-service (DoS) condition can be triggered. This vulnerability affects micrometer-core versions 1.16.0 through 1.16.5, 1.15.0 through 1.15.11, 1.14.0 through 1.14.15, 1.13.0 through 1.13.18, and 1.9.0 through 1.9.17. It also affects micrometer-jetty11 and micrometer-jetty12 versions 1.16.0 through 1.16.5, 1.15.0 through 1.15.11, 1.14.0 through 1.14.15, and 1.13.0 through 1.13.18. The vulnerability is present when one or more HTTP server instrumentations are configured and metrics are recorded through them [1].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to an application that uses a vulnerable version of Micrometer and has HTTP server instrumentations configured. No specific authentication or user interaction is mentioned as required for exploitation, suggesting that an unauthenticated attacker with network access to the vulnerable application could potentially trigger the DoS condition [1].

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service (DoS) condition. This means that the application may become unresponsive or crash, preventing legitimate users from accessing its services. The scope of the impact is limited to the availability of the affected application [1].

Mitigation

Users of affected versions should upgrade to the following fixed versions: 1.16.6 for 1.16.x, 1.15.12 for 1.15.x, 1.14.16 for 1.14.x, 1.13.19 for 1.13.x, and 1.9.18 for 1.9.x. Versions that are no longer supported are also affected. No further mitigation steps are necessary beyond upgrading [1].