CVE-2025-31991
Received Received - Intake
Improper Rate Limiting in HCL DevOps Velocity Enables Brute-Force

Publication date: 2026-04-13

Last updated on: 2026-04-13

Assigner: HCL Software

Description
Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.Β  This vulnerability is fixed in 5.1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-31991
EUVD
EUVD-2025-209421
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hcl devops_velocity 5.1.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because the rate limiting mechanism for user login attempts in HCL DevOps Velocity is not properly enforced. As a result, attackers can perform brute-force attacks by repeatedly trying to log in past the limit of unsuccessful login attempts.

This issue is addressed and fixed in version 5.1.7 of HCL DevOps Velocity.

Impact Analysis

The vulnerability allows attackers to perform brute-force attacks on user login credentials, potentially leading to unauthorized access to user accounts.

While the confidentiality of data is not directly impacted (as indicated by the CVSS score), the integrity of the system can be compromised because attackers may gain control over user accounts.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade HCL DevOps Velocity to version 5.1.7 where the issue is fixed.

Compliance Impact

The vulnerability allows brute-force attacks due to improper enforcement of rate limiting on user login attempts. This can lead to unauthorized access or compromise of user accounts.

Such unauthorized access risks can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-31991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart