CVE-2025-25182

Name of the Vulnerable Software and Affected Versions: Stroom versions 7.2-beta.53 through 7.2.23 Stroom versions prior to 7.3-beta.22 Stroom versions prior to 7.4.4 Stroom versions prior to 7.5-beta.2

Description: The issue concerns a data processing, storage, and analysis platform. A vulnerability exists that allows authentication bypass to the system when configured with ALB and installed in a way that the application is accessible not through the ALB itself. This vulnerability may also allow for server-side request forgery, which may lead to code execution or further privileges escalations when using the AWS metadata URL. The scenario assumes that the platform must be configured to use ALB Authentication integration and the application is network accessible.

Recommendations: For versions 7.2-beta.53 through 7.2.23, update to version 7.2.24 or later. For versions prior to 7.3-beta.22, update to version 7.3-beta.22 or later. For versions prior to 7.4.4, update to version 7.4.4 or later. For versions prior to 7.5-beta.2, update to version 7.5-beta.2 or later. As a temporary workaround, consider restricting access to the ALB authentication integration until a patch is available. Avoid using the AWS metadata URL in the affected platform until the issue is resolved.