SB2025122323 - Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Exposed dangerous method or function (CVE-ID: CVE-2025-30359)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the way the application handles script tags. Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject in their site and run the script. Note that the attacker has to know the port and the output entrypoint script path. Combined with prototype pollution, the attacker can get a reference to the webpack runtime variables. By using Function::toString against the values in __webpack_modules__, the attacker can get the source code.

2) Origin validation error (CVE-ID: CVE-2025-30360)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect Origin validation in webpack-dev-server/lib/Server.js. A remote attacker can trick the application into connecting to a malicious website with a non-Chromium browser and and share its source code with it, a.k.a. cross-site WebSocket hijacking.

3) Missing Origin Validation in WebSockets (CVE-ID: CVE-2018-14732)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to missing origin validation on the WebSocket interface in lib/Server.js. A remote attacker can trick the victim into visiting a malicious website that can open a WebSocket connection to localhost and access component source code.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7255091