Security Bulletin: IBM Event Processing is vulnerable to a CRLF injection vulnerability in Netty (CVE-2025-67735)

Summary IBM Event Processing is vulnerable to a CRLF injection vulnerability in Netty io.netty.handler.codec.http.HttpRequestEncoder. An attacker could exploit this vulnerability to perform HTTP request smuggling against affected Event Processing services that use the vulnerable Netty component...

Security Bulletin: IBM Event Processing is vulnerable to information disclosure (CVE-2025-68429)

Summary IBM Event Processing may be vulnerable to information disclosure. Vulnerability Details CVEID:CVE-2025-68429 DESCRIPTION: Storybook is a frontend workshop for building user interface components and pages in isolation. A vulnerability present starting in versions 7.0.0 and prior to version...

Security Bulletin: Multiple Vulnerabilities in IBM Event Processing

Summary Multiple vulnerabilities were addressed in IBM Event Processing 1.5.0 Vulnerability Details CVEID:CVE-2026-1002 DESCRIPTION: The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. Th...

Security Bulletin: IBM Event Processing is vulnerable to unauthorized access to hidden files and stored cross-site scripting (XSS) (CVE-2025-11965, CVE-2025-11966)

Summary IBM Event Processing is vulnerable to unauthorized access to hidden files and stored cross-site scripting XSS when using Eclipse Vert.x. Vulnerability Details CVEID:CVE-2025-11965 DESCRIPTION: In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, a StaticHandler configuration for...

Security Bulletin: IBM Event Processing is vulnerable to command injection vulnerability (CVE-2025-64756)

Summary IBM Event Processing is vulnerable to command injection vulnerability due to Glob matches files. Vulnerability Details CVEID:CVE-2025-64756 DESCRIPTION: Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI...

Security Bulletin: IBM Event Processing is affected by multiple Vulnerabilities in IBM Operator for Apache Flink

Summary IBM Event Processing is affected by multiple Vulnerabilities in IBM Operator for Apache Flink 1.4.5 Vulnerability Details CVEID:CVE-2025-58056 DESCRIPTION: Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers...

Security Bulletin: Multiple Vulnerabilities in IBM Event Processing

Summary Multiple vulnerabilities were addressed in IBM Event Processing version 1.4.5 Vulnerability Details CVEID:CVE-2025-30218 DESCRIPTION: Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which...

Security Bulletin: IBM Event Processing is vulnerable due to Incorrect Default Permissions (CVE-2025-30706)

Summary IBM Event Processing is vulnerable due to incorrect default permissions in the MySQL Connectors product specifically, Connector/J. This connector is used in IBM Event Processing to enable Java-based components to interact with MySQL databases for storing and retrieving event-related data...

Security Bulletin: Multiple Vulnerabilities in IBM Event Processing

Summary Multiple vulnerabilities were addressed in IBM Event Processing version 1.4.1 Vulnerability Details CVEID:CVE-2025-27789 DESCRIPTION: Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression...

Security Bulletin: IBM Event Processing is vulnerable to an Authorization Bypass (CVE-2025-29927)

Summary IBM Event Processing is vulnerable to an Authorization Bypass due to the use of a Next.js component. Since Next.js can be used in the UI layer or API routing, unauthorized users may gain access to protected resources or functionalities, potentially compromising the system's integrity...

Security Bulletin: IBM Event Processing is vulnerable to Server-Side Request Forgery (SSRF) and credential leakage due to the axios package (CVE-2025-27152).

Summary IBM Event Processing is vulnerable to Server-Side Request Forgery SSRF and credential leakage due to the usage of axios package. The axios package is used in event processing to send or retrieve data via HTTP calls, enabling integration with external services or REST APIs during event...

Security Bulletin: Multiple Vulnerabilities in IBM Event Processing

Summary IBM Event Processing was affected by multiple vulnerabilities. These are affecting the operator and frontend components. Vulnerability Details CVEID:CVE-2024-55565 DESCRIPTION: nanoid aka Nano ID before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version. CWE:CWE-835: Loop...

Security Bulletin: IBM Event Processing is vulnerable to Regular Expression Denial of Service (ReDoS) due to the cross-spawn package (CVE-2024-21538).

Summary Operator of IBM Event Processing is vulnerable to Regular Expression Denial of Service ReDoS due to the usage of cross-spawn package. The cross-spawn npm package is a cross-platform solution for spawning child processes in Node.js. Vulnerability Details CVEID:CVE-2024-21538 DESCRIPTION:...

Security Bulletin: IBM Event Processing susceptible improper validation

Summary IBM Event Processing vulnerable to cross-site scripting, caused by improper validation CVE-2024-43788 Vulnerability Details CVEID:CVE-2024-43788 DESCRIPTION: Webpack and Rspack are vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote...

Security Bulletin: Multiple Vulnerabilities in IBM Event Processing

Summary Multiple base image vulnerabilities were addressed in IBM Event Processing version 1.2.2. Vulnerability Details CVEID:CVE-2024-47176 DESCRIPTION: OpenPrinting cups-browsed could allow a remote attacker to obtain sensitive information, caused by the binding on UDP INADDRANY:631 and trustin...

Security Bulletin: Due to use of Async, IBM Event Processing is vulnerable to Regular Expression Denial of Service

Summary Async is used by IBM Event Processing as part of the frontend. CVE-2024-39249 Vulnerability Details CVEID:CVE-2024-39249 DESCRIPTION: Async is vulnerable to a denial of service, caused by the ReDoS Regular Expression Denial of Service while parsing function in autoinject function. By...

Security Bulletin: Due to use of Axios, IBM Event Processing is vulnerable to server-side request forgery

Summary Axios is used by IBM Event Processing frontend. CVE-2024-39338 Vulnerability Details CVEID:CVE-2024-39338 DESCRIPTION: Axios is vulnerable to server-side request forgery, caused by a flaw with requests for path relative URLs get processed as protocol relative URLs. By sending a specially...

Security Bulletin: IBM Event Processing is vulnerable to a denial of service

Summary Operator of IBM Event Processing backend and operator is vulnerable to denial of service. CVE-2024-25710, CVE-2024-26308 Vulnerability Details CVEID:CVE-2024-25710 DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a...

Security Bulletin: Multiple Vulnerabilities in IBM Event Processing.

Summary Multiple vulnerabilities were addressed in IBM Event Processing version 1.1.8 Vulnerability Details CVEID:CVE-2024-30171 DESCRIPTION: The Bouncy Castle Crypto Package For Java could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the RSA decrypti...

Security Bulletin: IBM Operator for Apache Flink is vulnerable to a denial of service attack due to the Apache Commons Compress component ( CVE-2024-25710,CVE-2024-26308).

Summary IBM Operator for Apache Flink is vulnerable to a denial of service attack due to the Apache Commons Compress component. Apache Flink uses Commons Compress for handling compressed files and formats, enabling efficient data processing and storage. Vulnerability Details CVEID:CVE-2024-25710...