SB2026012034 - Multiple vulnerabilities in IBM App Connect Enterprise

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Prototype pollution (CVE-ID: CVE-2025-64718)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution attacks.

2) OS Command Injection (CVE-ID: CVE-2025-64756)

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when processing file names. A remote user can pass specially crafted filename to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Resource exhaustion (CVE-ID: CVE-2025-13466)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling URL-encoded bodies with very large numbers of parameters. A remote attacker can trigger high CPU and memory usage and perform a denial of service (DoS) attack.

4) Improper verification of cryptographic signature (CVE-ID: CVE-2025-65945)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper signature verification under specific conditions when using the HS256 algorithm within the jws.createVerify() function. A remote attacker can manipulate header or payload in the HMAC secret lookup routines and bypass authorization checks. 

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7255561