SB2026010925 - Multiple vulnerabilities in IBM Event Processing

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026010925

SB2026010925 - Multiple vulnerabilities in IBM Event Processing

Published: January 9, 2026

Security Bulletin ID SB2026010925
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 40% Low 60%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2025-30218)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to software may leak the "x-middleware-subrequest-id" to a third party. A remote attacker with control over the third-party server can obtain the header value and use it to bypass authentication.


2) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2025-49574)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to an error when duplicating a duplicated context. A remote user can gain access to sensitive information, such as request scope, security details, and metadata.


3) Uncontrolled Recursion (CVE-ID: CVE-2025-48924)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. A remote attacker can trigger uncontrolled recursion and perform a denial of service (DoS) attack.


4) Missing Origin Validation in WebSockets (CVE-ID: CVE-2025-48068)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to missing origin validation on the WebSocket interface  if the project uses the App Router. When running next dev, a malicious website can open a WebSocket connection to localhost and access component source code.


5) Resource exhaustion (CVE-ID: CVE-2025-55163)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References