opencti
Corrigido em
6.5.3
6.5.2
CVE-2025-26621 describes a Denial of Service (DoS) vulnerability within OpenCTI, an open-source cyber threat intelligence platform. An attacker with the ability to manage customizations can leverage this flaw to trigger prototype pollution within the Node.js frontend, leading to a service disruption. This vulnerability impacts versions of OpenCTI prior to 6.5.2, and a patch has been released.
The primary impact of CVE-2025-26621 is a denial of service. Successful exploitation allows an attacker to crash the OpenCTI frontend, rendering the threat intelligence platform unavailable to legitimate users. This can disrupt critical security operations, hinder incident response, and impede the organization's ability to monitor and analyze cyber threats. The attack vector involves manipulating webhooks, a common feature in threat intelligence platforms for automated data ingestion and integration. Prototype pollution, a JavaScript vulnerability, is the underlying mechanism enabling this DoS. While the vulnerability is contained within the frontend, prolonged unavailability can significantly impact the overall security posture.
CVE-2025-26621 was publicly disclosed on 2025-05-19. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The EPSS score is likely to be low to medium, reflecting the need for specific access and knowledge of prototype pollution techniques to exploit the vulnerability.
Organizations heavily reliant on OpenCTI for threat intelligence management are at significant risk. Specifically, deployments where multiple users have permissions to manage customizations, or where webhook integrations are not properly secured, are particularly vulnerable. Shared hosting environments running OpenCTI also pose a higher risk due to the potential for cross-tenant attacks.
• nodejs: Monitor OpenCTI logs for errors related to prototype pollution or unexpected crashes in the Node.js process. Use journalctl -u opencti to filter for relevant error messages.
• nodejs: Use ps aux | grep node to monitor Node.js processes and check for unusual CPU or memory usage that might indicate an ongoing attack.
• generic web: Examine OpenCTI access logs for unusual webhook requests or attempts to modify webhook configurations from unauthorized IP addresses. Use grep -i webhook /var/log/nginx/access.log (adjust path as needed).
• generic web: Review OpenCTI error logs for any JavaScript errors or exceptions related to prototype pollution. Check /var/log/opencti/error.log (adjust path as needed).
disclosure
Status do Exploit
EPSS
0.73% (percentil 72%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-26621 is to immediately upgrade OpenCTI to version 6.5.2 or later. If upgrading is not immediately feasible, consider restricting access to webhook customization functionality to trusted administrators only. Implement input validation and sanitization on all webhook data to prevent prototype pollution attacks. Monitor OpenCTI logs for unusual activity or errors related to webhook processing. While a WAF may not directly prevent this vulnerability, it can be configured to detect and block suspicious webhook payloads. After upgrading, confirm the fix by attempting to create a webhook with potentially malicious JavaScript code and verifying that it does not cause a crash.
Actualice OpenCTI a la versión 6.5.2 o superior. Esta versión corrige la vulnerabilidad de denegación de servicio causada por la manipulación de webhooks. La actualización evitará que usuarios malintencionados ejecuten código JavaScript que pueda afectar la disponibilidad del servidor.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-26621 is a denial-of-service vulnerability in OpenCTI versions prior to 6.5.2. Attackers can exploit prototype pollution through webhook customization to crash the frontend.
You are affected if you are running OpenCTI version 6.5.2 or earlier. Immediately assess your deployment and apply the necessary mitigation.
Upgrade OpenCTI to version 6.5.2 or later. Restrict access to webhook customization and implement input validation as temporary measures.
There is currently no evidence of active exploitation in the wild, but it's crucial to apply the patch proactively.
Refer to the OpenCTI security advisories page on their official website for the latest information and updates regarding CVE-2025-26621.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.