Security Bulletin: Multiple vulnerabilities affect IBM Business Automation Workflow

Vulnerability Details

Basic Information

Title	Security Bulletin: Multiple vulnerabilities affect IBM Business Automation Workflow – CVE-2025-27789, CVE-2024-57965, CVE-2025-27152, CVE-2024-55565
Type	ibm
Published	2025-05-03T05:52:10
Last Seen	2025-05-03T10:56:46
CVSS Score	6.2 (MEDIUM)

CVSS v3 Details

Attack Vector	LOCAL
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	NONE
Integrity Impact	NONE
Availability Impact	HIGH

CVE Information

CVE IDs	CVE-2024-55565, CVE-2024-57965, CVE-2025-27152, CVE-2025-27789
CWE
Bulletin Family	software

Description

## Summary

Some IBM Business Automation Workflow user interfaces may be affected by vulnerabilities in JavaScript libraries.

## Vulnerability Details

**CVEID:**CVE-2025-27789
**DESCRIPTION:** Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the `.replace` method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of `.replace`. This problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17. It’s likely that individual users do not directly depend on `@babel/helpers`, and instead depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees use of a new enough `@babel/helpers` version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
**CWE:**CWE-1333: Inefficient Regular Expression Complexity
**CVSS Source:** [email protected]
**CVSS Base score:** 6.2
**CVSS Vector:**(CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-57965
**DESCRIPTION:** In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a URL object when determining an origin, and has a potentially unwanted setAttribute(‘href’,href) call. NOTE: some parties feel that the code change only addresses a warning message from a SAST tool and does not fix a vulnerability.
**CWE:**CWE-346: Origin Validation Error
**CVSS Source:** [email protected]
**CVSS Base score:** 0
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N)

**CVEID:**CVE-2025-27152
**DESCRIPTION:** axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2.
**CWE:**CWE-918: Server-Side Request Forgery (SSRF)
**CVSS Source:** IBM
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-55565
**DESCRIPTION:** nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
**CWE:**CWE-835: Loop with Unreachable Exit Condition (‘Infinite Loop’)
**CVSS Source:** CISA ADP
**CVSS Base score:** 4.3
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

## Affected Products and Versions

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

## Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT423873 and DT433330 as soon as practical.

## Workarounds and Mitigations

None

Impact Assessment

Base Score	6.2
Severity	MEDIUM

View full CVE details