Skip to main content

Aftermarket Dpc CVE-2025-55271

| EUVDEUVD-2025-209065 LOW
HTTP Response Splitting (CWE-113)
2026-03-26 HCL
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209065
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
CVE Published
Mar 26, 2026 - 12:59 nvd
LOW 3.1

DescriptionCVE.org

HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability where in depending on how the web application handles the split response, an attacker may be able to execute arbitrary commands or inject harmful content into the response..

AnalysisAI

HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or commands into HTTP responses, potentially leading to content spoofing or further exploitation depending on application response handling. The vulnerability affects Aftermarket DPC version 1.0.0 and requires user interaction to exploit. No public exploit identified at time of analysis, and exploitation is not currently automatable according to CISA SSVC assessment, resulting in a low real-world risk profile despite the injection vector.

Technical ContextAI

HTTP Response Splitting vulnerabilities arise from improper sanitization of user-controlled input that is incorporated into HTTP response headers, as classified under CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers). HCL Aftermarket DPC (identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) fails to adequately validate or encode data before including it in response headers, permitting an attacker to inject carriage return and line feed characters. This allows an attacker to terminate the current HTTP header block and inject arbitrary headers or even an entirely new HTTP response, potentially enabling cache poisoning, session fixation, or credential theft depending on downstream processing by intermediate proxies or client-side applications.

RemediationAI

Apply the vendor-released patch from HCL by consulting the official security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793, which details the exact patched version and upgrade procedure. If immediate patching is not feasible, implement input validation and output encoding controls at the application or web application firewall layer to neutralize CRLF injection attempts in user-supplied parameters that are reflected in HTTP response headers. Additionally, enforce strict HTTP response header validation policies and consider deploying a reverse proxy with header filtering rules to prevent response splitting attacks. Monitor HTTP response headers in production logs for anomalous injection patterns.

CVE-2025-55262 HIGH
8.3 Mar 26

SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas

CVE-2025-55261 HIGH
8.1 Mar 26

Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c

CVE-2025-55263 HIGH
7.3 Mar 26

Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera

CVE-2025-55265 MEDIUM
6.5 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s

CVE-2025-55266 MEDIUM
5.9 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user

CVE-2025-55267 MEDIUM
5.7 Mar 26

HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434

CVE-2025-55264 MEDIUM
5.5 Mar 26

Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti

CVE-2025-55268 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso

CVE-2025-55273 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers

CVE-2025-55269 MEDIUM
4.2 Mar 26

HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a

CVE-2025-55275 LOW
3.7 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at

CVE-2025-55270 LOW
3.5 Mar 26

HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec

Share

CVE-2025-55271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy