CVE-2025-6504 HIGH

CVE-2025-6504: Possibilities of IP Spoofing via X-Forwarded-For (XFF) Header

Vendor Progress Software
Product Hybrid Data Pipeline
Published July 29, 2025
Last update July 29, 2025

CVSS base score

8.4/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.  Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range. This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access.

Key dates

02Disclosure timeline

July 29, 2025 CVE published
July 29, 2025 Record updated