This vulnerability in Spring AI arises from insecure temporary file usage that can lead to exposure of the ONNX model files when the application runs in a shared environment. The affected versions are 1.0.0 to 1.0.5 and 1.1.0 to 1.1.4, with fixes introduced in 1.0.6 and 1.1.5. The CVSS vector indicates local attack vector with low complexity and low privileges required, no user interaction, unchanged scope, limited confidentiality impact, high integrity impact, and no availability impact. The vulnerability is categorized under CWE-377, which concerns insecure temporary file creation or usage.

An attacker with local access and low privileges in a shared environment could exploit this vulnerability to gain unauthorized read access to the ONNX model files used by Spring AI, potentially leading to information disclosure and integrity compromise of the model. There is no indication of availability impact or remote exploitation. No known exploits have been reported in the wild.

Fixed versions 1.0.6 and 1.1.5 of Spring AI address this vulnerability. Users should upgrade to these or later versions to remediate the issue. Since no official vendor advisory or patch links are provided, confirm patch availability and details from the Spring project or vendor channels. No cloud service remediation applies as this is not a cloud-hosted service. Until upgrade, limit access to shared environments and restrict local privileges to mitigate risk.