CVE-2025-35056
BaseFortify
Publication date: 2025-10-09
Last updated on: 2025-10-22
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| newforma | project_center | to 2024.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Newforma Info Exchange (NIX) at the endpoint '/UserWeb/Common/MarkupServices.ashx' in the 'StreamStampImage' function. It accepts an encrypted file path and returns an image of the specified file. An authenticated attacker who has privileges in NIX (typically 'NT AUTHORITY\NetworkService') can exploit this to read arbitrary files that StreamStampImage can process. The encrypted file path can be generated using a shared, hard-coded secret key described in another vulnerability (CVE-2025-35052). This vulnerability cannot be exploited by anonymous users.
How can this vulnerability impact me? :
The vulnerability allows an authenticated attacker to read arbitrary files on the system with the privileges of the NIX service, which is typically 'NT AUTHORITY\NetworkService'. This could lead to unauthorized disclosure of sensitive information stored on the system, potentially exposing confidential data or system files accessible by that service account.