CVE-2025-6504

In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header. Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range. This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access.

CVSS v3 8.4 HIGH

8.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.7 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://community.progress.com/s/article/DataDirect-Hybrid-Data-Pipeline-Critical-Security-Product-Alert-Bulletin-July-2025---CVE-2025-6504	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:progress:hybrid_data_pipeline:*:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-07-29 13:15

Updated : 2025-10-02 17:40

NVD link : CVE-2025-6504

Mitre link : CVE-2025-6504

CVE.ORG link : CVE-2025-6504

JSON object : View

Products Affected

progress

hybrid_data_pipeline

linux

linux_kernel

CWE

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2025-6504", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.7}]}, "published": "2025-07-29T13:15:28.650", "references": [{"url": "https://community.progress.com/s/article/DataDirect-Hybrid-Data-Pipeline-Critical-Security-Product-Alert-Bulletin-July-2025---CVE-2025-6504", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.\u00a0\n\nSince XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range.\n\n\nThis vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access."}, {"lang": "es", "value": "En versiones de HDP Server anteriores a la 4.6.2.2978 en Linux, se pod\u00eda producir acceso no autorizado mediante suplantaci\u00f3n de IP mediante el encabezado X-Forwarded-For. Dado que XFF es un encabezado controlado por el cliente, podr\u00eda suplantarse, permitiendo el acceso no autorizado si la IP suplantada coincid\u00eda con un rango permitido. Esta vulnerabilidad podr\u00eda explotarse para eludir las restricciones de IP, aunque se seguir\u00edan necesitando credenciales de usuario v\u00e1lidas para acceder a los recursos."}], "lastModified": "2025-10-02T17:40:57.083", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:progress:hybrid_data_pipeline:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "806425E3-2E1C-412F-AF38-BD522D436EDB", "versionEndExcluding": "4.6.2.2978"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}