How severe is CVE-2025-25182?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.4 out of 10.

What type of vulnerability is CVE-2025-25182?

This is classified as CWE-290, which is a common weakness in software security.

CVE-2025-25182 - CRITICAL Severity | CVSS 9.4

Vulnerability Description

Stroom is a data processing, storage and analysis platform. A vulnerability exists starting in version 7.2-beta.53 and prior to versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2 that allows authentication bypass to a Stroom system when configured with ALB and installed in a way that the application is accessible not through the ALB itself. This vulnerability may also allow for server-side request forgery which may lead to code execution or further privileges escalations when using the AWS metadata URL. This scenario assumes that Stroom must be configured to use ALB Authentication integration and the application is network accessible. The vulnerability has been fixed in versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2.

Related Vulnerabilities

CVE-2024-32977

CRITICAL

CVSS:9.4(Critical)

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely ...

CWE-2902024

CVE-2024-54450

CRITICAL

CVSS:9.4(Critical)

An issue was discovered in Kurmi Provisioning Suite 7.9.0.33. If an X-Forwarded-For header is received during authentication, the Kurmi application will record the (possibly forged) IP address mention...

CWE-2902024

CVE-2022-31149

CRITICAL

CVSS:9.6(Critical)

ActivityWatch open-source automated time tracker. Versions prior to 0.12.0b2 are vulnerable to DNS rebinding attacks. This vulnerability impacts everyone running ActivityWatch and gives the attacker f...

CWE-2902022

CVE-2024-12108

CRITICAL

CVSS:9.6(Critical)

In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API.

CWE-2902024

CVE-2024-23674

CRITICAL

CVSS:9.6(Critical)

The Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15 allows authentication bypass by spoofing. A man-in-the-middle attacker can assume a victim's identify for...

CWE-2902024

CVE-2017-14487

CRITICAL

CVSS:9.1(Critical)

The OhMiBod Remote app for Android and iOS allows remote attackers to impersonate users by sniffing network traffic for search responses from the OhMiBod API server and then editing the username, user...

CWE-2902017