CVE-2025-62487

Name of the Vulnerable Software and Affected Versions Palantir Dossier and Slides apps (affected versions not specified)

Description Images uploaded through the Dossier front-end app were not consistently marked with the correct security levels. This issue stemmed from a change implemented in May 2025 intended to enable file sharing across different artifacts, such as dossiers and presentations. In deployments configured with CBAC (Configuration-Based Access Control), a security picker dialog appears, allowing users to set the appropriate security level for uploads, mitigating the issue. However, in deployments without CBAC, no security picker is displayed, resulting in a default security level of CUSTOM without specific markings or datasets selected. Consequently, file access is governed solely by the “Default authorization rules” defined in the Auth Chooser configuration, which typically grants access to the Everyone group.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.