SB2025112104 - Multiple vulnerabilities in IBM Power HMC
Published: November 21, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2025-52434)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling HTTP/2 requests with APR/Native. A remote attacker can send specially crafted HTTP requests to the server and perform a denial of service (DoS) attack.
2) Resource exhaustion (CVE-ID: CVE-2025-48989)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can send specially crafted HTTP request to the web server and consume all available memory resources, leading to a denial of service.
Note, this vulnerability is known as HTTP/2 Made You Reset Attack.
3) Resource management error (CVE-ID: CVE-2025-52520)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to overflow in file upload limit. A remote attacker can send specially crafted requests to the server and perform a denial of service (DoS) attack.
4) Resource exhaustion (CVE-ID: CVE-2025-53506)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling excessive HTTP/2 streams. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
5) Session Fixation (CVE-ID: CVE-2025-55668)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to session fixation. A remote attacker can trick the victim into opening a specially crafted request to gain unauthorized access to sensitive information on the system.
6) Improper Protection of Alternate Path (CVE-ID: CVE-2025-49125)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper access restrictions when using PreResources or PostResources mounted other than at the root of the web application. A remote attacker can bypass configured security rules using a alternate path and gain unauthorized access to the application.
7) Resource exhaustion (CVE-ID: CVE-2025-48988)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling multipart requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
8) Improper handling of case sensitivity (CVE-ID: CVE-2025-46701)
The vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to an error when handling URLs on a case insensitive filesystem with security constraints configured for the <code>pathInfo</code> component of a URL that mapped to the CGI servlet. A remote attacker can bypass imposed security constraints via a specially crafted URL.
9) Input validation error (CVE-ID: CVE-2025-31651)
The vulnerability allows a remote attacker to bypass rewrite rules.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted input to the application and bypass configured rewrite rules.
10) Improper error handling (CVE-ID: CVE-2025-31650)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient error handling for certain invalid HTTP priority headers. A remote attacker can send a large amount of specially crafted HTTP requests to the server and consume all available memory, resulting in a denial of service condition.
Remediation
Install update from vendor's website.