CVE-2025-62329

Published Dec 16, 2025

Last updated 2 months ago

CVSS medium 5.0

Overview

Description
HCL DevOps Deploy / HCL Launch is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated. This could lead to unauthorized access under certain network conditions.
Source
psirt@hcl.com
NVD status
Analyzed
Products
hcl_devops_deploy, hcl_launch

Risk scores

CVSS 3.1

Type
Primary
Base score
5.6
Impact score
3.4
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Severity
MEDIUM

Weaknesses

psirt@hcl.com
CWE-613

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. In HCL DevOps Deploy 8.1.2.0 through 8.1.2.3, a user with LLM configuration privileges may be able to recover a credential previously saved for performing authenticated LLM Queries.CVE-2025-62327
  2. Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages.CVE-2025-59849
  3. Improper management of Path-relative stylesheet import in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow to execute malicious code in certain web pages.CVE-2025-55254
  4. HCL DevOps Deploy is susceptible to a cleartext transmission of sensitive information because the HTTP port remains accessible and does not redirect to HTTPS as intended. As a result, an attacker with network access could intercept or modify user credentials and session-related data via passive monitoring or man-in-the-middle attacks.CVE-2025-62330
  5. HCL DevOps Deploy / HCL Launch is vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure.CVE-2025-0272

References

Sources include official advisories and independent security research.