CVE-2025-62487
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: Palantir Technologies

Description
### Details On October 1, 2025, Palantir discovered that images uploaded through the Dossier front-end app were not being marked correctly with the proper security levels. The regression was traced back to a change in May 2025, which was meant to allow file uploads to be shared among different artifacts (e.g. other dossiers and presentations). On deployments configured with CBAC, the front-end would present a security picker dialog to set the security level on the uploads, thereby mitigating the issue. On deployments without a CBAC configuration, no security picker dialog appears, leading to a security level of CUSTOM with no markings or datasets selected. The resulting markings and groups for the file uploads thus will be only those added by the β€œDefault authorization rules” defined in the Auth Chooser configuration. On most environments, it is expected that the β€œDefault authorization rules" only add the Everyone group.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-05-07
AI Q&A
2026-01-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-62487
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
palantir dossier *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the Palantir Dossier front-end app incorrectly marking the security levels of uploaded images. Due to a regression from a May 2025 change intended to allow file sharing among different artifacts, images uploaded without a CBAC configuration do not trigger a security picker dialog. As a result, these uploads are assigned a default CUSTOM security level with no specific markings or datasets, typically only including the Everyone group from default authorization rules. This mislabeling can lead to improper access controls on uploaded files.


How can this vulnerability impact me? :

The impact of this vulnerability is that images uploaded without proper security markings may be accessible to broader groups than intended, since the files default to the Everyone group. This can lead to unauthorized access or exposure of sensitive information if the deployment is not configured with CBAC, which otherwise mitigates the issue by prompting for security level selection.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that your deployment is configured with CBAC so that the front-end presents the security picker dialog to correctly set security levels on uploads. Without CBAC configuration, uploads default to a CUSTOM security level with minimal markings, which is insecure. Therefore, enabling CBAC configuration is the immediate step to mitigate the issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart