CVE-2025-6504
BaseFortify
Publication date: 2025-07-29
Last updated on: 2025-10-02
Assigner: Progress Software Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| progress | hybrid_data_pipeline | to 4.6.2.2978 (exc) |
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in HDP Server versions below 4.6.2.2978 on Linux, where an attacker can spoof the X-Forwarded-For (XFF) header, which is client-controlled. By spoofing this header to match a whitelisted IP range, unauthorized access could occur, bypassing IP-based restrictions. However, valid user credentials are still required to access resources.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to bypass IP-based access restrictions by spoofing the X-Forwarded-For header to appear as if they are coming from a trusted IP range. This could lead to unauthorized access attempts, potentially exposing sensitive data or resources, although the attacker would still need valid user credentials.