Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.
CVE-2020-5410
Score elevated to 9.0 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2022-03-25), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 7.5 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
A fix is available — apply it.
- CVSS v3
- 7.5
- EG Score
- 9.0(medium)
- EPSS
- 99.9%
- KEV
- ⚠ Exploited
Published
June 2, 2020
Last Modified
November 3, 2025
Advisory Details (2)
Auto-updated Jun 4, 2026Known Exploited Vulnerabilities Catalog | CISA
Known Exploited Vulnerabilities Catalog | CISA. Listed in CISA Known Exploited Vulnerabilities catalog.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5410CVE-2020-5410: Directory Traversal with spring-cloud-config-server
https://tanzu.vmware.com/security/cve-2020-5410Vendor Advisories for CVE-2020-5410(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(2)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | spring-cloud-config-server | 2021-08-11 | redhat |
| redhat | patch | 2020-12-16 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.springframework.cloud:spring-cloud-config-server | 2.2.0.RELEASE, 2.2.1.RELEASE, 2.2.2.RELEASE | 2.2.3 | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(1)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
Data Freshness Timeline
(refreshed 93× in last 7d / 408× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 575 total refreshes for this CVE.
- 2026-07-11 23:02 UTCEG score recompute
- 2026-07-11 23:02 UTCVendor advisory
- 2026-07-11 19:21 UTCEG score recompute
- 2026-07-11 19:21 UTCVendor advisory
- 2026-07-11 15:40 UTCEG score recompute
- 2026-07-11 15:40 UTCVendor advisory
- 2026-07-11 11:59 UTCEG score recompute
- 2026-07-11 11:59 UTCVendor advisory
- 2026-07-11 08:18 UTCEG score recompute
- 2026-07-11 08:18 UTCVendor advisory
- 2026-07-11 04:37 UTCEG score recompute
- 2026-07-11 04:37 UTCVendor advisory
- 2026-07-11 00:56 UTCEG score recompute
- 2026-07-11 00:56 UTCVendor advisory
- 2026-07-10 21:13 UTCEG score recompute
- 2026-07-10 21:13 UTCVendor advisory
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 17:32 UTCEG score recompute
- 2026-07-10 17:32 UTCVendor advisory
- 2026-07-10 13:51 UTCEG score recompute
- 2026-07-10 13:51 UTCVendor advisory
- 2026-07-10 10:11 UTCEG score recompute
- 2026-07-10 10:11 UTCVendor advisory
- 2026-07-10 06:30 UTCEG score recompute
- 2026-07-10 06:30 UTCVendor advisory
Show 75 moreShow fewer
- 2026-07-10 02:47 UTCEG score recompute
- 2026-07-10 02:47 UTCVendor advisory
- 2026-07-09 23:05 UTCEG score recompute
- 2026-07-09 23:05 UTCVendor advisory
- 2026-07-09 19:24 UTCEG score recompute
- 2026-07-09 19:24 UTCVendor advisory
- 2026-07-09 15:43 UTCEG score recompute
- 2026-07-09 15:43 UTCVendor advisory
- 2026-07-09 12:02 UTCEG score recompute
- 2026-07-09 12:02 UTCVendor advisory
- 2026-07-09 08:21 UTCEG score recompute
- 2026-07-09 08:21 UTCVendor advisory
- 2026-07-09 04:40 UTCEG score recompute
- 2026-07-09 04:40 UTCVendor advisory
- 2026-07-09 00:58 UTCEG score recompute
- 2026-07-09 00:58 UTCVendor advisory
- 2026-07-08 21:18 UTCEG score recompute
- 2026-07-08 21:18 UTCVendor advisory
- 2026-07-08 17:35 UTCEG score recompute
- 2026-07-08 17:35 UTCVendor advisory
- 2026-07-08 13:54 UTCEG score recompute
- 2026-07-08 13:54 UTCVendor advisory
- 2026-07-08 10:13 UTCEG score recompute
- 2026-07-08 10:13 UTCVendor advisory
- 2026-07-08 06:32 UTCEG score recompute
- 2026-07-08 06:32 UTCVendor advisory
- 2026-07-08 02:51 UTCEG score recompute
- 2026-07-08 02:51 UTCVendor advisory
- 2026-07-07 23:10 UTCEG score recompute
- 2026-07-07 23:10 UTCVendor advisory
- 2026-07-07 19:29 UTCEG score recompute
- 2026-07-07 19:29 UTCVendor advisory
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 15:48 UTCEG score recompute
- 2026-07-07 15:48 UTCVendor advisory
- 2026-07-07 12:05 UTCEG score recompute
- 2026-07-07 12:05 UTCVendor advisory
- 2026-07-07 08:23 UTCEG score recompute
- 2026-07-07 08:23 UTCVendor advisory
- 2026-07-07 04:41 UTCEG score recompute
- 2026-07-07 04:41 UTCVendor advisory
- 2026-07-07 00:59 UTCEG score recompute
- 2026-07-07 00:59 UTCVendor advisory
- 2026-07-06 21:18 UTCEG score recompute
- 2026-07-06 21:18 UTCVendor advisory
- 2026-07-06 17:35 UTCEG score recompute
- 2026-07-06 17:35 UTCVendor advisory
- 2026-07-06 13:53 UTCEG score recompute
- 2026-07-06 13:53 UTCVendor advisory
- 2026-07-06 10:12 UTCEG score recompute
- 2026-07-06 10:12 UTCVendor advisory
- 2026-07-06 06:29 UTCEG score recompute
- 2026-07-06 06:29 UTCVendor advisory
- 2026-07-06 02:48 UTCEG score recompute
- 2026-07-06 02:48 UTCVendor advisory
- 2026-07-05 23:08 UTCEG score recompute
- 2026-07-05 23:08 UTCVendor advisory
- 2026-07-05 19:26 UTCEG score recompute
- 2026-07-05 19:26 UTCVendor advisory
- 2026-07-05 15:45 UTCEG score recompute
- 2026-07-05 15:45 UTCVendor advisory
- 2026-07-05 12:04 UTCEG score recompute
- 2026-07-05 12:04 UTCVendor advisory
- 2026-07-05 08:23 UTCEG score recompute
- 2026-07-05 08:23 UTCVendor advisory
- 2026-07-05 04:42 UTCEG score recompute
- 2026-07-05 04:42 UTCVendor advisory
- 2026-07-05 01:00 UTCEG score recompute
- 2026-07-05 01:00 UTCVendor advisory
- 2026-07-04 21:17 UTCEG score recompute
- 2026-07-04 21:17 UTCVendor advisory
- 2026-07-04 17:37 UTCEG score recompute
- 2026-07-04 17:37 UTCVendor advisory
- 2026-07-04 13:55 UTCEG score recompute
Publicly available exploits
(3 references)Working exploit code is in the public domain (1 Metasploit module) (1 GitHub PoC). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCosamahamad/CVE-2020-5410-POCFirst seen Jun 16, 2020
CVE-2020-5410 Spring Cloud Config directory traversal vulnerability
Open source ↗ - Metasploitauxiliary/scanner/http/springcloud_directory_traversal✓ verifiedFirst seen Jun 1, 2020
Directory Traversal in Spring Cloud Config Server
Open source ↗ - Nucleihttp/cves/2020/CVE-2020-5410.yamlFirst seen Jan 1, 2020
Spring Cloud Config Server - Local File Inclusion
Open source ↗
Frequently asked(6)
What is CVE-2020-5410?
When was CVE-2020-5410 disclosed?
Is CVE-2020-5410 actively exploited?
What is the CVSS score of CVE-2020-5410?
Which products are affected by CVE-2020-5410?
How do I remediate CVE-2020-5410?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2020-5410
Is Your Infrastructure Affected by CVE-2020-5410?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.