Heapdump Havoc: Exploiting an Unprotected Spring Actuator Endpoint at a Major Food-&-Drug Retailer"
Vulnerability Finding
TL;DR
Four production micro-services at a major food-and-drug retailer streamed a full JVM heap dump to anyone who hit “/actuator/heapdump”.
Opening that dump in VisualVM revealed plaintext AppDynamics admin creds, live session tokens and database connection strings—everything needed to create or destroy servers and databases at will.
Root cause: Spring Boot Actuator left wide-open in prod.
Fix: Disable the endpoint (or lock it behind strong auth) and rotate every secret that was ever in RAM.
BACKGROUND
During routine attack-surface mapping I found four sub-domains running Spring Boot. Each responded to
https://sub.example-retailer.com/actuator/heapdump
with HTTP 200 and a 400–500 MB “application/octet-stream” payload: a raw heap dump straight from the JVM.
WHAT EXACTLY IS A HEAP DUMP (VisualVM Edition)
A heap dump is a point-in-time image of everything living in a Java process’s heap—objects, field values, strings, class metadata. Ops teams usually create one with “jcmd” or “jmap”, or by calling Spring Boot’s /actuator/heapdump for last-resort diagnostics.
To inspect it you load the “.hprof” file in VisualVM:
File → Load Heap Dump → select “heap.hprof”.
After indexing, the Classes tab shows every loaded class with instance counts and retained sizes.
Use the search box or OQL Console; queries like “password=”, “Bearer ” or “jdbc:” surface secrets in seconds.
Double-click any suspect object to view its full reference chain and field values—exactly how I spotted the plain-text AppDynamics admin password.
Because the dump reflects live memory, you’ll also find:
– database passwords in HikariConfig objects
– OAuth refresh tokens, JWT signing keys
– user session objects with roles and IDs
– internal hostnames, feature-flag values, third-party API keys
A heap dump is effectively a database backup plus a credential vault—one unauthenticated GET away if /actuator/heapdump remains public.
TECHNICAL BREAKDOWN
Affected hosts (redacted for disclosure):
• https://<service-dev>.example-retailer.com/actuator/heapdump
• https://<service2-perf>.example-retailer.com/actuator/heapdump
• https://<service3-prod>.example-retailer.com/actuator/heapdump
• https://<nonce-service>.example-retailer.com/actuator/heapdump
Every request streamed a fresh, unique dump—no caching or auth
PROOF OF CONCEPT
Pull the dump (no cookies, no token):
curl -k -o heap.hprof "https://<host>/actuator/heapdump"Load in VisualVM and search:
– com.appdynamics.auth.PasswordHolder → "somepassword"– controllerUri → "http://logic.saas.appdynamics.com" – org.springframework.security.core.userdetails.User → admin@corpLog into the AppDynamics controller with full admin privileges.
Capabilities: CRUD all users and roles, spin up or delete monitored servers, create or drop database collectors—total infrastructure control.
RISK AND IMPACT
Confidentiality – heap exposes live credentials, PII, tokens
Integrity – admin can alter schemas and server configs
Availability – monitored instances and DBs can be deleted
Reputation – breach of a household retail brand
Base CVSS v3.1- score: 9.8 / Critical (Network, No Auth, High Impact)
MITIGATION PLAYBOOK
Disable heap dumps in production:
management.endpoint.heapdump.enabled=false
or exclude heapdump, env, threaddump from actuator exposure.Gate any remaining actuator paths behind strong auth or VPN-only access.
Rotate every secret found (DB, Redis, JWT keys, OAuth tokens).
Update CI templates so new services ship with heapdump disabled by default.
Add a canary: alert if /actuator/heapdump ever returns 200 in prod.
KEY TAKEAWAYS
• Actuator endpoints are production code—treat them that way.
• A heap dump is as revealing as a database dump; guard it with equal rigor.
• Secrets inevitably land in RAM; assume compromise and rotate regularly.
• Add heap-dump checks to every attack-surface scan—it’s only one GET away.
ABOUT THE AUTHOR
Parth Shukla is an security researcher at Cequence Security and owner of Cyfer tool (certsubs.com), focusing on API and business-logic abuse. All testing was non-destructive and conducted under responsible disclosure.