Multiple vulnerabilities in IBM Security QRadar EDR
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2024-53382 CVE-2025-27789 CVE-2025-30204 CVE-2024-12905 CVE-2025-27516 CVE-2025-43859 CVE-2025-47935 CVE-2025-47944 CVE-2024-6827 |
| CWE-ID | CWE-94 CWE-1333 CWE-400 CWE-59 CWE-20 CWE-444 CWE-401 CWE-248 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Security QRadar EDR Other software / Other software solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Code Injection
EUVDB-ID: #VU107489
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-53382
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to Prism (aka PrismJS) allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.. A remote user can send a specially crafted request and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSecurity QRadar EDR: 3.12.0 - 3.12.17
CPE2.3- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7236354
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Inefficient regular expression complexity
EUVDB-ID: #VU105984
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-27789
CWE-ID:
CWE-1333 - Inefficient Regular Expression Complexity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Install update from vendor's website.
Vulnerable software versionsSecurity QRadar EDR: 3.12.0 - 3.12.17
CPE2.3- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7236354
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU105983
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-30204
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the parse.ParseUnverified function when parsing authorization header. A remote attacker can send a specially crafted HTTP response to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSecurity QRadar EDR: 3.12.0 - 3.12.17
CPE2.3- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7236354
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Link following
EUVDB-ID: #VU106282
Risk: High
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-12905
CWE-ID:
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insecure link following in index.js. A remote attacker can supply a specially crafted file to the application and overwrite arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSecurity QRadar EDR: 3.12.0 - 3.12.17
CPE2.3- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7236354
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU105387
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-27516
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise the target system.
The vulnerability exists due to sandbox breakout through attr filter selecting format method. A local user can execute arbitrary code on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsSecurity QRadar EDR: 3.12.0 - 3.12.17
CPE2.3- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7236354
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU108124
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-43859
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests in h11/_readers.py. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsSecurity QRadar EDR: 3.12.0 - 3.12.17
CPE2.3- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7236354
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Memory leak
EUVDB-ID: #VU111105
Risk: High
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-47935
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. A remote attacker can force the application to leak memory and perform denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSecurity QRadar EDR: 3.12.0 - 3.12.17
CPE2.3- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7236354
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Uncaught Exception
EUVDB-ID: #VU111106
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-47944
CWE-ID:
CWE-248 - Uncaught Exception
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a malformed multi-part upload request and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsSecurity QRadar EDR: 3.12.0 - 3.12.17
CPE2.3- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7236354
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU107611
Risk: High
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-6827
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to Gunicorn does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback method of 'Content-Length,' making it vulnerable to TE.CL request smuggling. A remote attacker can send a specially crafted HTTP request to the server and initiate cache poisoning, data exposure, session manipulation, SSRF, XSS, DoS, data integrity compromise, security bypass, information leakage, and business logic abuse.
MitigationInstall update from vendor's website.
Vulnerable software versionsSecurity QRadar EDR: 3.12.0 - 3.12.17
CPE2.3- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:security_qradar_edr:3.12.2:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/7236354
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
