SB2025122323 - Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025122323

SB2025122323 - Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition

Published: December 23, 2025

Security Bulletin ID SB2025122323
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Exposed dangerous method or function (CVE-ID: CVE-2025-30359)

CWE-ID: CWE-749 - Exposed Dangerous Method or Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the way the application handles script tags. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.


2) Origin validation error (CVE-ID: CVE-2025-30360)

CWE-ID: CWE-346 - Origin Validation Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect Origin validation in webpack-dev-server/lib/Server.js. A remote attacker can trick the application into connecting to a malicious website with a non-Chromium browser and and share its source code with it, a.k.a. cross-site WebSocket hijacking.


3) Missing Origin Validation in WebSockets (CVE-ID: CVE-2018-14732)

CWE-ID: CWE-1385 - Missing Origin Validation in WebSockets

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to missing origin validation on the WebSocket interface in lib/Server.js. A remote attacker can trick the victim into visiting a malicious website that can open a WebSocket connection to localhost and access component source code.


Remediation

Install update from vendor's website.

References