Platform
python
Component
opencti
Fixed in
6.5.3
6.5.2
CVE-2025-26621 describes a Denial of Service (DoS) vulnerability within OpenCTI, an open-source cyber threat intelligence platform. An attacker with the ability to manage customizations can leverage this flaw to trigger prototype pollution within the Node.js frontend, leading to a service disruption. This vulnerability impacts versions of OpenCTI prior to 6.5.2, and a patch has been released.
The primary impact of CVE-2025-26621 is a denial of service. Successful exploitation allows an attacker to crash the OpenCTI frontend, rendering the threat intelligence platform unavailable to legitimate users. This can disrupt critical security operations, hinder incident response, and impede the organization's ability to monitor and analyze cyber threats. The attack vector involves manipulating webhooks, a common feature in threat intelligence platforms for automated data ingestion and integration. Prototype pollution, a JavaScript vulnerability, is the underlying mechanism enabling this DoS. While the vulnerability is contained within the frontend, prolonged unavailability can significantly impact the overall security posture.
CVE-2025-26621 was publicly disclosed on 2025-05-19. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The EPSS score is likely to be low to medium, reflecting the need for specific access and knowledge of prototype pollution techniques to exploit the vulnerability.
Exploit Status
EPSS
0.73% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-26621 is to immediately upgrade OpenCTI to version 6.5.2 or later. If upgrading is not immediately feasible, consider restricting access to webhook customization functionality to trusted administrators only. Implement input validation and sanitization on all webhook data to prevent prototype pollution attacks. Monitor OpenCTI logs for unusual activity or errors related to webhook processing. While a WAF may not directly prevent this vulnerability, it can be configured to detect and block suspicious webhook payloads. After upgrading, confirm the fix by attempting to create a webhook with potentially malicious JavaScript code and verifying that it does not cause a crash.
Actualice OpenCTI a la versión 6.5.2 o superior. Esta versión corrige la vulnerabilidad de denegación de servicio causada por la manipulación de webhooks. La actualización evitará que usuarios malintencionados ejecuten código JavaScript que pueda afectar la disponibilidad del servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-26621 is a denial-of-service vulnerability in OpenCTI versions prior to 6.5.2. Attackers can exploit prototype pollution through webhook customization to crash the frontend.
You are affected if you are running OpenCTI version 6.5.2 or earlier. Immediately assess your deployment and apply the necessary mitigation.
Upgrade OpenCTI to version 6.5.2 or later. Restrict access to webhook customization and implement input validation as temporary measures.
There is currently no evidence of active exploitation in the wild, but it's crucial to apply the patch proactively.
Refer to the OpenCTI security advisories page on their official website for the latest information and updates regarding CVE-2025-26621.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.