PT-2025-42649 · Blu-Ic2+1 · Blu-Ic2+1

Alexi Bitsios

Published

2025-10-17

Updated

2025-11-07

CVE-2025-11925

CVSS v4.0

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Name of the Vulnerable Software and Affected Versions BLU-IC2 versions through 1.19.5 BLU-IC4 versions through 1.19.5

Description An incorrect Content-Type header in certain APIs allows for potential injection of HTML or JavaScript into replies. Specifically, the API responds with text/html when application/json is expected, creating a MIME confusion attack vector. This can lead to cross-site scripting (XSS) without requiring authentication. The API endpoints are vulnerable due to this header misconfiguration. The vulnerable parameter is not specified.

Recommendations BLU-IC2 versions through 1.19.5 should be updated. BLU-IC4 versions through 1.19.5 should be updated.

Fix

Improper Check for Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-754

Related Identifiers

CVE-2025-11925

Affected Products

Blu-Ic2

Blu-Ic4

PT-2025-42649 · Blu-Ic2+1 · Blu-Ic2+1

CVE-2025-11925

Weakness Enumeration

Related Identifiers

Affected Products

References · 10