CVE-2025-25182
📋 TL;DR
This CVE describes an authentication bypass vulnerability in Stroom data platform when configured with AWS Application Load Balancer (ALB) authentication. Attackers can bypass authentication entirely and potentially perform server-side request forgery (SSRF) to access AWS metadata, which could lead to code execution or privilege escalation. Affected systems are those running vulnerable Stroom versions configured with ALB authentication that are network-accessible.
💻 Affected Systems
- Stroom
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via authentication bypass leading to SSRF against AWS metadata service, resulting in AWS credential theft, code execution, and full privilege escalation within the environment.
Likely Case
Authentication bypass allowing unauthorized access to Stroom data and functionality, potentially leading to data exposure and further lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation prevents direct access to vulnerable instances or if AWS metadata service is not accessible from the compromised instance.
🎯 Exploit Status
Exploitation requires specific configuration (ALB auth) and network access to the vulnerable instance. The authentication bypass appears straightforward once these conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.2.24, 7.3-beta.22, 7.4.4, or 7.5-beta.2
Vendor Advisory: https://github.com/gchq/stroom/security/advisories/GHSA-x489-xx2m-vc43
Restart Required: Yes
Instructions:
1. Identify current Stroom version. 2. Upgrade to patched version (7.2.24, 7.3-beta.22, 7.4.4, or 7.5-beta.2). 3. Restart Stroom service. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Network Access Restriction
allEnsure Stroom instances are only accessible through the ALB and not directly network-accessible
Configure firewall rules to restrict direct access to Stroom ports (typically 8080)
Disable ALB Authentication
allTemporarily disable ALB authentication integration if not strictly required
Modify Stroom configuration to use alternative authentication methods
🧯 If You Can't Patch
- Implement strict network segmentation to prevent direct access to Stroom instances
- Configure AWS Instance Metadata Service (IMDS) to use IMDSv2 with hop limit restrictions
🔍 How to Verify
Check if Vulnerable:
Check Stroom version and verify if ALB authentication is configured and instance is directly network accessibleCheck Version:
Check Stroom web interface or application logs for version informationVerify Fix Applied:
Confirm Stroom version is 7.2.24, 7.3-beta.22, 7.4.4, or 7.5-beta.2 or higher📡 Detection & Monitoring
Log Indicators:
- Unexpected authentication bypass attempts
- Requests bypassing ALB authentication headers
- Unusual access patterns to AWS metadata endpoints
Network Indicators:
- Direct connections to Stroom ports bypassing ALB
- Requests to AWS metadata service from Stroom instances
SIEM Query:
source="stroom" AND (event_type="auth_failure" OR http_user_agent NOT CONTAINS "ELB-HealthChecker")