CVE-2020-5410

HIGH KEV NUCLEI

Spring Cloud Config <2.2.3 & <2.1.9 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-5410 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 5 public exploits from researchers including osamahamad, shoucheng3, dead5nd, including a Metasploit module auxiliary/scanner/http/springcloud_directory_traversal. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2020-5410, a directory traversal vulnerability in Spring Cloud Config. The PoC includes a curl command that exploits the vulnerability to read arbitrary files (e.g., /etc/passwd) via a crafted URL with double-encoded traversal sequences.

Description

Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.

Exploits (5)

nomisec WORKING POC 31 stars
by osamahamad · poc
https://github.com/osamahamad/CVE-2020-5410-POC

This repository provides a functional proof-of-concept for CVE-2020-5410, a directory traversal vulnerability in Spring Cloud Config. The PoC includes a curl command that exploits the vulnerability to read arbitrary files (e.g., /etc/passwd) via a crafted URL with double-encoded traversal sequences.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Spring Cloud Config (versions 2.2.x before 2.2.3, 2.1.x before 2.1.9, and older unsupported versions)
No auth needed
Prerequisites: A vulnerable instance of Spring Cloud Config Server accessible via HTTP
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/spring-cloud__spring-cloud-config_CVE-2020-5410_2-1-8-RELEASE

This repository contains the source code for Spring Cloud Config, specifically the 2.1.8.RELEASE version, which is vulnerable to CVE-2020-5410. The files include configuration, documentation, and Java source code for the client and environment modules, but no explicit exploit code is present.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Spring Cloud Config 2.1.8.RELEASE
No auth needed
Prerequisites: Access to a vulnerable Spring Cloud Config server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS
by dead5nd · poc
https://github.com/dead5nd/config-demo

The repository contains only configuration files with no exploit code or technical details about CVE-2020-5410. The README is minimal and lacks any meaningful analysis or PoC.

Classification
Suspicious 90%
Attack Type
Other
Complexity
N/a
Reliability
Theoretical
Target: Spring Cloud Config
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WRITEUP
infoleak
https://github.com/bloodbile/LobeChat-MIX

The repository provides a detailed technical analysis of CVE-2020-5410 (Spring Cloud Config Path Traversal) and CVE-2013-3770 (Oracle IDoc Injection) in LobeChat versions 1.46.7 and lower. It includes HTTP request examples demonstrating path traversal and command injection techniques, along with a description of the discovery process.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: LobeChat versions 1.46.7 and lower
No auth needed
Prerequisites: access to vulnerable LobeChat endpoints
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC
by Fei Lu, [email protected], Dhiraj Mishra · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/springcloud_directory_traversal.rb

This Metasploit module exploits an unauthenticated directory traversal vulnerability in Spring Cloud Config Server by sending a crafted HTTP GET request with encoded path traversal sequences to read arbitrary files from the server.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Spring Cloud Config Server versions 2.2.x prior to 2.2.3 and 2.1.x prior to 2.1.9
No auth needed
Prerequisites: Network access to the target server on port 8888
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Spring Cloud Config Server - Local File Inclusion
HIGHby mavericknerd

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.9431
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Details

CISA KEV 2022-03-25
VulnCheck KEV 2022-01-12
InTheWild.io 2021-10-11
ENISA EUVD EUVD-2020-0451
CWE
CWE-22 CWE-23
Status published
Products (2)
org.springframework.cloud/spring-cloud-config-server 2.1.0 - 2.1.9Maven
vmware/spring_cloud_config 2.1.0 - 2.1.9
Published Jun 02, 2020
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026