Skip to main content

HCL AION CVE-2025-52625

LOW
Use of Web Browser Cache Containing Sensitive Information (CWE-525)
2025-10-10 psirt@hcl.com
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 25, 2026 - 18:30 vuln.today

DescriptionCVE.org

A vulnerability

Cacheable SSL Page Found vulnerability has been identified

in HCL AION.

Cached data may expose credentials, system identifiers, or internal file paths to attackers with access to the device or browser

This issue affects AION: 2.0.

AnalysisAI

HCL AION 2.0 improperly caches sensitive SSL/HTTPS page content, allowing attackers or local users with device or browser access to retrieve cached credentials, system identifiers, and internal file paths. The vulnerability has a CVSS score of 3.7 (low severity) due to high attack complexity and local/physical access requirements, with no public exploit or active exploitation confirmed.

Technical ContextAI

This vulnerability stems from improper cache control headers on SSL/HTTPS pages (CWE-525: Information Exposure Through Query Strings in URL). When web applications fail to set appropriate Cache-Control, Pragma, or Expires headers with no-cache/no-store directives, browsers and intermediate caches (proxies, CDNs) may store sensitive response bodies. In AION 2.0, authentication credentials and system metadata intended for single-session use are retained in accessible cache storage, exploitable by anyone with local file system or browser history access. The root cause is likely missing or improperly configured HTTP cache-prevention headers on authentication or administrative endpoints.

RemediationAI

Contact HCL support via the security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124444 for patched version availability and specific update instructions. If patched versions are available, upgrade AION to the minimum recommended version. Interim compensating controls include: (1) Configure web server (nginx, Apache, etc.) to enforce strict Cache-Control headers (no-cache, no-store, must-revalidate) on all AION authentication and administrative endpoints-this prevents browser and proxy caching of sensitive responses with minimal performance impact; (2) Educate users to disable browser cache for sensitive domains or use private/incognito browsing modes when accessing AION from shared or untrusted devices; (3) Implement HTTPS-only (HSTS headers) to prevent downgrade attacks that could expose cached plaintext responses; (4) Review AION configuration documentation for any session-specific cache directives that may be disabled by default and should be re-enabled. Without vendor guidance, these controls reduce but do not eliminate risk.

More in Aion

View all
CVE-2025-52650 HIGH
8.2 Oct 10

Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

CVE-2025-52632 MEDIUM
6.5 Oct 10

A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

CVE-2025-52644 MEDIUM
5.8 Mar 16

HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing

CVE-2025-52638 MEDIUM
5.6 Mar 16

HCL AION contains a container base image authentication vulnerability where container images are not properly verified b

CVE-2025-52627 MEDIUM
5.5 Feb 03

Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

CVE-2025-62313 MEDIUM
5.4 May 14

HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that coul

CVE-2025-62310 MEDIUM
5.4 May 14

HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive inform

CVE-2025-52624 MEDIUM
5.4 Oct 10

A vulnerability  Bypass of the script allowlist configuration in HCL AION.  An incorrectly configured Content-Security-

CVE-2025-62305 MEDIUM
5.1 May 14

HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affe

CVE-2025-62308 MEDIUM
5.1 May 14

HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting auth

CVE-2025-52643 MEDIUM
4.7 Mar 16

A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.

CVE-2025-52628 MEDIUM
4.6 Feb 03

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, pot

Share

CVE-2025-52625 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy