SB2025092412 - Multiple vulnerabilities in IBM Cloud Pak for Business Automation

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025092412

SB2025092412 - Multiple vulnerabilities in IBM Cloud Pak for Business Automation

Published: September 24, 2025

Security Bulletin ID SB2025092412
Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 18% Medium 73% Low 9%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2025-21587)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


2) Input validation error (CVE-ID: CVE-2025-22872)

The vulnerability allows a remote attacker to perform code injection attacks.

The vulnerability exists due to insufficient validation of tags with unquoted attribute values that end with a solidus character (/). The tokenizer can interpret such tags as self-closing, leading to content following such tags as being placed in the wrong scope during DOM construction.


3) Path traversal (CVE-ID: CVE-2025-48050)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to scripts/server.js does not ensure that a pathname is located under the current working directory. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.


4) Stack-based buffer overflow (CVE-ID: CVE-2025-4447)

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability occurs when modifying a file on disk that is read when the JVM starts. A local user can trigger stack-based buffer overflow and execute arbitrary code on the target system.


5) Improper input validation (CVE-ID: CVE-2025-30698)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the 2D component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


6) Buffer overflow (CVE-ID: CVE-2025-52999)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when parsing deeply nested JSON files. A remote attacker can pass a specially crafted JSON file to the application, trigger memory corruption and perform a denial of service (DoS) attack.


7) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2025-32997)

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to improper error handling. A remote attacker can send specially crafted data to the application and modify data on the system.


8) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2025-32996)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to writeBody can be called twice because "else if" is not used. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


9) Uncaught Exception (CVE-ID: CVE-2025-47944)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a malformed multi-part upload request and perform a denial of service (DoS) attack.


10) Memory leak (CVE-ID: CVE-2025-47935)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. A remote attacker can force the application to leak memory and perform denial of service attack.


11) Use of insufficiently random values (CVE-ID: CVE-2025-7783)

The vulnerability allows a remote attacker to perform parameter injection attacks.

The vulnerability exists due to software uses a weak Math.random() method to generated random values for multipart form-encoded data. A remote attacker can observe values produced by Math.random in the target application and predict the random number used to generate form-data's boundary value and inject arbitrary parameters into requests. 


Remediation

Install update from vendor's website.

References