CVE-2025-2950 MEDIUM

CVE-2025-2950: IBM i improper HTTP header neutralization

Vendor Ibm
Product i
Weakness CWE-644
Published April 18, 2025
Last update August 28, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

IBM i 7.3, 7.4, 7.5, and 7.5 is vulnerable to a host header injection attack caused by improper neutralization of HTTP header content by IBM Navigator for i. An authenticated user can manipulate the host header in HTTP requests to change domain/IP address which may lead to unexpected behavior.

Key dates

02Disclosure timeline

April 18, 2025 CVE published
August 28, 2025 Record updated