CVE-2025-15141
Unknown Unknown - Not Provided
Information Disclosure via Configuration Handler in Halo /actuator (High Complexity

Publication date: 2025-12-28

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Halo up to 2.21.10. This issue affects some unknown processing of the file /actuator of the component Configuration Handler. Executing a manipulation can lead to information disclosure. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-28
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-28
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15141
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
halo halo to 2.21.10 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability leads to unauthorized exposure of sensitive internal information through improperly configured actuator endpoints. Such information disclosure can potentially violate data protection requirements under standards like GDPR and HIPAA, which mandate the protection of sensitive and personal data. Failure to secure these endpoints and prevent information leakage may result in non-compliance with these regulations. Mitigation involves restricting access to these endpoints and disabling unnecessary ones to protect confidentiality. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by checking for unauthorized access or exposure of sensitive Spring Boot Actuator endpoints such as /actuator/env, /actuator/heapdump, and /actuator/logfile on the Halo application. You can use network scanning or HTTP request commands to probe these endpoints remotely. For example, using curl commands: curl -i http://<target-host>/actuator/env curl -i http://<target-host>/actuator/heapdump curl -i http://<target-host>/actuator/logfile If these endpoints return sensitive information without proper authentication or restrictions, the system is vulnerable. [1, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /actuator endpoints by implementing firewall rules to limit remote access only to trusted IPs or internal networks. Additionally, disable or close all unnecessary sensitive Actuator endpoints in the Halo application configuration. Adjust the Spring Boot Actuator configuration to explicitly enable only the minimal set of endpoints required for business functionality, thereby preventing unintended information disclosure. [2, 3]

Executive Summary

This vulnerability exists in Halo up to version 2.21.10, specifically in the Configuration Handler component when processing the /actuator file. An attacker can manipulate this processing remotely, which may lead to information disclosure. The attack is complex and difficult to exploit, but the exploit has been publicly disclosed.

Impact Analysis

The vulnerability can lead to unauthorized information disclosure if exploited. Although the attack is complex and difficult to perform, a remote attacker could potentially gain access to sensitive information through the Configuration Handler's processing of the /actuator file.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15141. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart