CVE-2025-53602: 
Java vulnerability analysis and mitigation

Zipkin through version 3.5.1 contains a security vulnerability related to an exposed /heapdump endpoint, which is associated with the use of Spring Boot Actuator. This vulnerability was discovered and disclosed on July 4, 2025, and affects all versions of Zipkin up to and including 3.5.1. The issue is similar to CVE-2025-48927, which was previously identified in other systems (NVD, MITRE).

The vulnerability stems from an exposed Spring Boot Actuator endpoint at /heapdump that allows access to sensitive heap memory information. The issue has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-1188 (Insecure Default Initialization of Resource) (NVD).

The exposed /heapdump endpoint could allow attackers to access sensitive information stored in the application's heap memory, potentially including configuration details, credentials, and other runtime data that could be used for further attacks (NVD).

The issue has been addressed by disabling the Spring Boot Actuator /heapdump endpoint. A fix has been implemented and merged through pull request #3804. Users should upgrade to the latest version of Zipkin that includes this security fix (GitHub Commit, GitHub PR).