Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Network-reachable HTTP endpoint requires authenticated low-privilege user; temporary and partial availability impact only, with no confidentiality or integrity effect.
Primary rating from Vendor (ibm).
CVSS VectorVendor: ibm
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to cause a temporary denial using a specially crafted HTTP request due to improper allocation of resource throttling.
AnalysisAI
Temporary denial of service in IBM watsonx.data intelligence 5.2.0 through 5.3.0 is achievable by authenticated users who submit specially crafted HTTP requests, exploiting improper resource throttling allocation (CWE-770). The impact is limited to availability - confidentiality and integrity are unaffected - and the disruption is described as temporary rather than persistent. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
IBM watsonx.data intelligence is an enterprise data lakehouse platform combining open data formats with AI-driven analytics. The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling), a class of flaw where the application fails to enforce adequate rate-limiting or quota controls on incoming HTTP requests. When a user submits a specially crafted request, the server may allocate resources (threads, memory, processing time) beyond intended bounds without capping them, creating a temporary saturation condition. The affected CPE is cpe:2.3:a:ibm:watsonx.data_intelligence:*:*:*:*:*:*:*:* covering versions 5.2.0, 5.2.1, 5.2.2, and 5.3.0.
RemediationAI
IBM has released a patch and advises applying the fix documented at https://www.ibm.com/support/pages/node/7277801. The exact patched version number is not confirmed in the available data - administrators should consult the IBM advisory directly to identify the target upgrade version. As a compensating control prior to patching, organizations should restrict authenticated access to the watsonx.data intelligence API to only necessary users and service accounts, reducing the pool of principals who could trigger this condition. Additionally, placing a reverse proxy or API gateway with request-rate limiting in front of the service can reduce the effectiveness of throttling-based denial of service attacks, though this adds operational complexity and does not eliminate the underlying flaw.
More in Watsonx Data Intelligence
View allClient-side enforcement of server-side security in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 allows an
Stored cross-site scripting in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 allows authenticated low-privi
Cleartext data transmission in IBM watsonx.data intelligence versions 5.2.2 through 5.3.1 (including patch-1) exposes se
Cleartext transmission in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 exposes sensitive data to intercept
HTML injection in IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 enables a remote authenticated attacker to
Cross-site scripting in IBM watsonx.data Intelligence 5.2.0 through 5.3.0 allows low-privileged authenticated users to i
IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 leak sensitive technical information to the browser via verbo
IBM watsonx.data Intelligence versions 5.2.0 through 5.3.0 exposes authenticated users to unauthorized action execution
Server-side request forgery in IBM watsonx.data intelligence versions 5.2.0 through 5.3.0 enables authenticated attacker
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210383
GHSA-8g9m-mqc8-rhxx