CVE-2025-25182

CVE-2025-25182 is an authentication bypass vulnerability (CWE-290) affecting Stroom, an open-source data processing, storage, and analysis platform developed by GCHQ. The issue impacts versions starting from 7.2-beta.53 up to but not including 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2. It arises specifically when Stroom is configured with AWS Application Load Balancer (ALB) authentication integration and the application is deployed in a way that makes it directly network-accessible outside of the ALB itself. The vulnerability carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to its network reachability and lack of prerequisites.

Attackers can exploit this vulnerability remotely without authentication by directly accessing the Stroom instance bypassing the ALB. Successful exploitation grants unauthorized access to the system. Additionally, it may enable server-side request forgery (SSRF), potentially targeting the AWS instance metadata URL to achieve remote code execution or further privilege escalation in AWS environments.

The vulnerability has been addressed in Stroom versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2. Security practitioners should upgrade to one of these fixed releases. Detailed information, including the patch via pull request, is available in the GitHub security advisory (GHSA-x489-xx2m-vc43) and the corresponding pull request (#4320).