8.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48881

CVE-2025-48881: Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users

Impact

All objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users.

If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations.

Attack requirements

The following conditions have to be met in order to perform this attack:

A user must be logged in
- No relevant application roles are required
At least one object-type must be configured via object-management
- The scope of the attack is limited to objects that are configured via object-management.
- The value of showInDataMenu is irrelevant for this attack

Patches

No patch is available yet

Workarounds

It is possible to override the endpoint security as defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer. Depending on the implementation, this could result in loss of functionality.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-48881

CVE-2025-48881:

8.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions
com.ritense.valtimo:objecten-api	maven	>= 11.0.0.RELEASE, <= 11.3.3.RELEASE
com.ritense.valtimo:object-management	maven	>= 11.0.0.RELEASE, <= 11.3.3.RELEASE
com.ritense.valtimo:object-management	maven	>= 12.0.0.RELEASE, <= 12.12.0.RELEASE
com.ritense.valtimo:objecten-api	maven	>= 12.0.0.RELEASE, <= 12.12.0.RELEASE

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (GHSA-965r-9cg9-g42p / CVE-2025-48881) lies in an incorrect authorization mechanism within the Valtimo backend libraries, specifically affecting the 'objecten-api' and 'object-management' components. According to the advisory, all objects for which an object-management configuration exists can be manipulated by unauthorized (but authenticated) users.

The advisory explicitly mentions that a workaround involves overriding endpoint security defined in ObjectenApiHttpSecurityConfigurer and ObjectManagementHttpSecurityConfigurer. This strongly suggests that these two classes contain the flawed security configurations. In Spring Security, such HttpSecurityConfigurer classes typically have a configure(HttpSecurity http) method (or similar) where security rules (like authentication and authorization requirements for specific URL patterns) are defined. The vulnerability implies that these configurations are too permissive, failing to correctly enforce authorization checks for the object-related API endpoints.

Since no patch is available, the analysis relies on the description provided in the security advisory. The functions listed are inferred to be the primary locations of the faulty security logic based on their names and the context of Spring Security configuration. An attacker exploiting this vulnerability would interact with API endpoints whose security is governed by these configuration classes. During such an interaction, the methods within these classes responsible for applying security filters and rules would be part of the execution flow, and if a profiler were attached, these configuration methods (or methods they call) would appear in the stack trace when security decisions are being made (or, in this case, improperly made).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-48881: Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users

Impact

Attack requirements

Patches

Workarounds

CVE-2025-48881:

8.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-48881: Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users

Impact

Attack requirements

Patches

Workarounds

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

8.3

8.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI