CVE-2025-53602 is a medium-severity vulnerability affecting Open Zipkin, specifically versions up to 3.5.1. The vulnerability arises from the presence of a /heapdump endpoint exposed via the Spring Boot Actuator integration. This endpoint allows access to heap dumps, which are snapshots of the application’s memory at a given time. Heap dumps can contain sensitive information such as application secrets, credentials, or other confidential data. The root cause is classified under CWE-1188, which refers to the initialization of a resource with insecure default settings. In this case, the default configuration of Zipkin’s Spring Boot Actuator exposes the /heapdump endpoint without authentication or access restrictions, making it accessible over the network. The CVSS 3.1 base score is 5.3 (medium), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that the vulnerability is remotely exploitable without privileges or user interaction, and impacts confidentiality to a limited extent, but does not affect integrity or availability. While no known exploits are reported in the wild, the exposure of heap dumps can lead to information disclosure, which attackers could leverage for further attacks or reconnaissance. This vulnerability is similar to CVE-2025-48927, which also involved insecure exposure of diagnostic endpoints in Spring Boot Actuator. The affected versions are not explicitly detailed beyond "0", but the description references versions through 3.5.1, suggesting that users of Zipkin up to that version are vulnerable. No patches or mitigations are linked in the provided data, indicating that users should verify their configurations and apply any available updates from the vendor.

For European organizations, the exposure of heap dumps via the /heapdump endpoint in Zipkin can lead to unauthorized disclosure of sensitive runtime information. This can include environment variables, credentials, tokens, or other secrets stored in memory, which attackers could use to escalate privileges or move laterally within networks. Organizations relying on Zipkin for distributed tracing in microservices architectures may inadvertently expose internal application details, increasing the risk of targeted attacks. The impact is particularly significant for sectors with stringent data protection requirements such as finance, healthcare, and critical infrastructure, where leakage of sensitive information can lead to regulatory penalties under GDPR and damage to reputation. Although the vulnerability does not directly allow code execution or denial of service, the confidentiality breach can be a stepping stone for more severe attacks. Given the remote and unauthenticated nature of the exploit, attackers can scan for exposed endpoints and retrieve heap dumps without needing credentials or user interaction, increasing the risk of automated exploitation attempts.

European organizations using Zipkin should immediately audit their Spring Boot Actuator configurations to ensure that sensitive endpoints like /heapdump are not exposed publicly or are secured behind strong authentication and network access controls. Specifically, disable the /heapdump endpoint if not required, or restrict its access to trusted internal networks only. Implement network-level protections such as firewalls and API gateways to block unauthorized access to actuator endpoints. Monitor logs and network traffic for any unusual access patterns to these endpoints. Stay updated with Open Zipkin releases and apply patches or configuration updates as soon as they become available. Additionally, conduct regular security reviews of all diagnostic and management endpoints in microservices environments to prevent similar exposures. Employ secrets management best practices to minimize sensitive data stored in memory and consider runtime application self-protection (RASP) tools to detect anomalous access attempts.