EUVD-2025-209065

| CVE-2025-55271 LOW
2026-03-26 HCL
3.1
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209065
CVE Published
Mar 26, 2026 - 12:59 nvd
LOW 3.1

Tags

Code Injection Aftermarket Dpc

Description

HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability where in depending on how the web application handles the split response, an attacker may be able to execute arbitrary commands or inject harmful content into the response..

Analysis

HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or commands into HTTP responses, potentially leading to content spoofing or further exploitation depending on application response handling. The vulnerability affects Aftermarket DPC version 1.0.0 and requires user interaction to exploit. No public exploit identified at time of analysis, and exploitation is not currently automatable according to CISA SSVC assessment, resulting in a low real-world risk profile despite the injection vector.

Technical Context

HTTP Response Splitting vulnerabilities arise from improper sanitization of user-controlled input that is incorporated into HTTP response headers, as classified under CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers). HCL Aftermarket DPC (identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) fails to adequately validate or encode data before including it in response headers, permitting an attacker to inject carriage return and line feed characters. This allows an attacker to terminate the current HTTP header block and inject arbitrary headers or even an entirely new HTTP response, potentially enabling cache poisoning, session fixation, or credential theft depending on downstream processing by intermediate proxies or client-side applications.

Affected Products

HCL Aftermarket DPC version 1.0.0 is confirmed affected by this vulnerability. The affected product is identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*. Consult the vendor security advisory provided by HCL at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for comprehensive version scope and patch availability details. Additional vulnerability intelligence is available via VulDB at https://vuldb.com/?id.353600 and the NIST NVD at https://nvd.nist.gov/vuln/detail/CVE-2025-55271.

Remediation

Apply the vendor-released patch from HCL by consulting the official security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793, which details the exact patched version and upgrade procedure. If immediate patching is not feasible, implement input validation and output encoding controls at the application or web application firewall layer to neutralize CRLF injection attempts in user-supplied parameters that are reflected in HTTP response headers. Additionally, enforce strict HTTP response header validation policies and consider deploying a reverse proxy with header filtering rules to prevent response splitting attacks. Monitor HTTP response headers in production logs for anomalous injection patterns.

Priority Score

16
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +16
POC: 0

Share

EUVD-2025-209065 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy