CVE-2025-0719 – IBM Cloud Pak for Data versions 4.0.0 through 4... (How to Fix)

Q: What is the severity of CVE-2025-0719?

CVE-2025-0719 has a CVSS score of 6.1 (MEDIUM). IBM Cloud Pak for Data versions 4.0.0 through 4.8.5 and 5.0.0 contain a cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious JavaScript into the web interface. This could lead to session hijacking, credential theft, or other malicious actions within a user's trusted session. Organizations running these vulnerable versions are affected.

📋 TL;DR

IBM Cloud Pak for Data versions 4.0.0 through 4.8.5 and 5.0.0 contain a cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious JavaScript into the web interface. This could lead to session hijacking, credential theft, or other malicious actions within a user's trusted session. Organizations running these vulnerable versions are affected.

💻 Affected Systems

Products:

IBM Cloud Pak for Data

Versions: 4.0.0 through 4.8.5 and 5.0.0

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with web UI accessible are vulnerable; no special configuration required.

📦 What is this software?

Cloud Pak For Data by Ibm

View all CVEs affecting Cloud Pak For Data →

Cloud Pak For Data by Ibm

View all CVEs affecting Cloud Pak For Data →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator credentials, gain full control of the Cloud Pak for Data environment, and potentially pivot to other systems in the network.

🟠

Likely Case

Attackers steal user session cookies or credentials, leading to unauthorized access to sensitive data within the platform.

🟢

If Mitigated

With proper input validation and output encoding, the attack would fail to execute malicious scripts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity; attackers need to trick users into visiting malicious links or interacting with crafted content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fixes as specified in IBM advisory

Vendor Advisory: https://www.ibm.com/support/pages/node/7184173

Restart Required: Yes

Instructions:

1. Review IBM advisory for specific patch versions. 2. Apply the recommended fix for your version. 3. Restart affected services. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Implement Content Security Policy (CSP)

all

Add CSP headers to restrict script execution sources

Web Application Firewall (WAF)

all

Deploy WAF with XSS protection rules to block malicious requests

🧯 If You Can't Patch

Isolate the Cloud Pak for Data web interface behind VPN or internal network only
Implement strict input validation and output encoding at the application layer

🔍 How to Verify

Check if Vulnerable:

Check your IBM Cloud Pak for Data version against affected ranges: 4.0.0-4.8.5 or 5.0.0

Check Version:

Check version through IBM Cloud Pak for Data administration console or documentation

Verify Fix Applied:

Verify you have applied the patch version specified in IBM advisory and test for XSS vectors

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in web request logs
Multiple failed XSS attempts

Network Indicators:

Suspicious script tags or JavaScript in HTTP requests to Cloud Pak endpoints

SIEM Query:

Search web logs for patterns like <script>, javascript:, or encoded XSS payloads targeting Cloud Pak URLs

📊 Metadata

CVE ID: CVE-2025-0719

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.14% exploit probability (33.8th percentile)

Published: February 26, 2025

Last Updated: August 8, 2025

🔗 References

https://www.ibm.com/support/pages/node/7184173 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0719, you might also want to check these: