Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
HCL Aftermarket DPC is affected by Spamming Vulnerability which can allow the actor to excessive spamming can consume server bandwidth and processing resources which may lead to Denial of Service.
AnalysisAI
HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing resources, potentially causing denial of service to legitimate users. The vulnerability requires user interaction (UI:R per CVSS vector) and is remotely exploitable without authentication, resulting in partial availability impact. No public exploit code or active exploitation has been identified at time of analysis, though the low barrier to exploitation (AC:L) makes this a practical attack vector for resource exhaustion.
Technical ContextAI
CVE-2025-55268 is classified under CWE-799 (Improper Control of Interaction Frequency), which describes inadequate rate limiting or request throttling mechanisms. HCL Aftermarket DPC (CPE: cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) lacks sufficient input validation or request filtering to prevent an attacker from flooding the application with repeated requests. The vulnerability stems from missing or insufficient anti-spam controls that would normally enforce per-user or per-IP request quotas, connection limits, or CAPTCHA challenges. The root cause is not a flaw in an underlying library but rather incomplete implementation of resource protection mechanisms in the application's request handling layer.
RemediationAI
HCL customers should consult the official vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for patch availability and recommended upgrade versions. Until a patched version is deployed, implement compensating controls: configure rate limiting at the network or load balancer level to restrict requests per source IP or user session, deploy Web Application Firewall (WAF) rules to detect and block spamming patterns, enforce request throttling with exponential backoff for repeated submissions from the same source, and monitor server resource utilization and request logs for anomalies indicating attack activity. If the application is exposed to untrusted networks, consider restricting access via IP allowlisting or VPN until patching is complete.
More in Aftermarket Dpc
View allSQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas
Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c
Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera
HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s
HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user
HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti
HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers
HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a
HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at
HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec
HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or co
Same weakness CWE-799 – Improper Control of Interaction Frequency
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209059