CVE-2025-36857
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-25

Last updated on: 2025-12-11

Assigner: Rapid7, Inc.

Description
Rapid7 Appspider Pro versions below 7.5.021, suffer from a broken access control vulnerability in the application's configuration file loading mechanism, whereby an attacker can place files in directories belonging to other users or projects. Affected versions allow standard users to add custom configuration files. These files, which are loaded in alphabetical order, can override or change the settings of the original configuration files, creating a security vulnerability. This issue stems from improper directory access management. This vulnerability was remediated in version 7.5.021 of the product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-25
Last Modified
2025-12-11
Generated
2026-06-16
AI Q&A
2025-09-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-36857
EUVD
EUVD-2025-31102
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rapid7 appspider_pro to 7.5.021 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Rapid7 Appspider Pro versions below 7.5.021 is a broken access control issue in the application's configuration file loading mechanism. It allows an attacker to place files in directories belonging to other users or projects. Since the application loads configuration files in alphabetical order, an attacker can add custom configuration files that override or change the settings of the original configuration files, leading to a security risk. The root cause is improper directory access management.

Impact Analysis

The vulnerability can allow a standard user to modify or override configuration settings of other users or projects by placing malicious configuration files. This can lead to unauthorized changes in application behavior or security settings, potentially compromising the integrity of the application environment.

Mitigation Strategies

Upgrade Rapid7 Appspider Pro to version 7.5.021 or later, as this version remediates the broken access control vulnerability in the configuration file loading mechanism.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36857. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart