CVE-2025-31991

| EUVD-2025-209421 MEDIUM
2026-04-13 HCL
Information Disclosure Velocity
6.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 16:44 vuln.today

DescriptionNVD

Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.  This vulnerability is fixed in 5.1.7.

AnalysisAI

Brute-force attacks against HCL DevOps Velocity user login are possible due to inadequate rate limiting enforcement on failed authentication attempts, allowing attackers with high privileges to bypass the unsuccessful login attempt limit and potentially compromise user accounts. CVSS 6.8 reflects the integrity impact (account compromise) across multiple systems; the vulnerability requires high privileges, limiting opportunistic exploitation. Vendor-released patch: version 5.1.7.

Technical ContextAI

HCL DevOps Velocity implements a rate-limiting mechanism intended to protect user login endpoints from brute-force enumeration and credential stuffing attacks by restricting the number of failed attempts. This protection is grounded in CWE-307 (Improper Restriction of Excessive Authentication Attempts), a common weakness affecting authentication systems. The vulnerability manifests as incomplete or inconsistent enforcement of the rate-limit policy, allowing attackers to exceed the configured threshold for unsuccessful logins. The CVSS vector indicates the attack requires high privilege context (PR:H), suggesting this may affect administrative or service-account workflows where rate limiting is bypassed or inadequately validated during certain request paths or session states.

RemediationAI

Upgrade HCL DevOps Velocity to version 5.1.7 or later, which includes the rate-limiting enforcement fix. Users unable to immediately patch should implement network-layer protections such as Web Application Firewall (WAF) rules to rate-limit login attempts by source IP and account, and audit high-privilege user access logs for suspicious failed authentication patterns. Refer to HCL's official advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130138 for detailed guidance and any interim mitigations.

Share

CVE-2025-31991 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy