CVE-2025-30280

Name of the Vulnerable Software and Affected Versions: Mendix Runtime V8 versions prior to V9.24.34 is not accurate since V8 is a major version and should be listed separately, the correct interpretation is: Mendix Runtime V8 version prior to any specified fix, since all versions are affected Mendix Runtime V9 versions prior to V9.24.34 Mendix Runtime V10 versions prior to V10.21.0 Mendix Runtime V10.6 version, since all versions are affected, but it is already included in the range of V10 Mendix Runtime V10.12 version, since all versions are affected, but it is already included in the range of V10 Mendix Runtime V10.18 version, since all versions are affected, but it is already included in the range of V10

Corrected list: Mendix Runtime V8 version Mendix Runtime V9 versions prior to V9.24.34 Mendix Runtime V10 versions prior to V10.21.0

Description: The issue allows for entity enumeration due to distinguishable responses in certain client actions. This could allow an unauthenticated remote attacker to list all valid entities and attribute names of a Mendix Runtime-based application.

Recommendations: For Mendix Runtime V8, update to a version that includes the fix for this issue. For Mendix Runtime V9 versions prior to V9.24.34, update to V9.24.34 or later. For Mendix Runtime V10 versions prior to V10.21.0, update to V10.21.0 or later.