Listen to this Post
The vulnerability in Valtimo backend libraries (CVE-2025-XXXXX) allows unauthorized users to access, modify, create, or delete objects via the object-api due to improper access controls. The flaw stems from insufficient endpoint authorization checks in `ObjectenApiHttpSecurityConfigurer` and ObjectManagementHttpSecurityConfigurer. Attackers can exploit this by sending crafted HTTP requests to object-api endpoints, bypassing role-based restrictions. Even if `showInDataMenu` is disabled, objects remain accessible if their URLs are exposed. This impacts all instances where object-management configurations exist, enabling data leaks or system compromise.
DailyCVE Form:
Platform: Valtimo Backend Libraries
Version: Pre-patch
Vulnerability: Unauthorized Object Access
Severity: High
Date: May 28, 2025
Prediction: Patch expected by June 10, 2025
What Undercode Say:
Exploitation:
1. Craft GET/POST requests to `/api/objecten` endpoints.
2. Enumerate objects via `/api/objecten/management`.
3. Use Burp Suite to intercept unauthenticated requests.
Detection:
grep -r "ObjectenApiHttpSecurityConfigurer" /src curl -I http://target/api/objecten | grep 200
Mitigation:
1. Override `configure(HttpSecurity http)` in custom security config:
http.authorizeRequests()
.antMatchers("/api/objecten/").hasRole("ADMIN")
.anyRequest().authenticated();
2. Apply IP whitelisting:
location /api/objecten {
allow 192.168.1.0/24;
deny all;
}
3. Audit logs for suspicious access:
cat /var/log/valtimo/access.log | grep "POST /api/objecten"
Patch Monitoring:
wget https://github.com/valtimo-platform/valtimo-backend-libraries/releases
Temporary Fix:
Disable object-api endpoints via `application.properties`:
valtimo.object-api.enabled=false
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
