1. Home
  2. CVE Database
  3. CVE-2025-36857
LOW · 3.3

CVE-2025-36857

Rapid7 Appspider Pro versions below 7.5.021, suffer from a broken access control vulnerability in the application's configuration file loading mechanism, whereby an attacker can place files in directo...

Vulnerability Description

Rapid7 Appspider Pro versions below 7.5.021, suffer from a broken access control vulnerability in the application's configuration file loading mechanism, whereby an attacker can place files in directories belonging to other users or projects. Affected versions allow standard users to add custom configuration files. These files, which are loaded in alphabetical order, can override or change the settings of the original configuration files, creating a security vulnerability. This issue stems from improper directory access management. This vulnerability was remediated in version 7.5.021 of the product.

CVSS Score

3.3

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
Rapid7Appspider Pro< 7.5.021

Related Weaknesses (CWE)

CWE-276

References

FAQ

What is CVE-2025-36857?

CVE-2025-36857 is a vulnerability with a CVSS score of 3.3 (LOW). Rapid7 Appspider Pro versions below 7.5.021, suffer from a broken access control vulnerability in the application's configuration file loading mechanism, whereby an attacker can place files in directo...

How severe is CVE-2025-36857?

CVE-2025-36857 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-36857?

Check the references section above for vendor advisories and patch information. Affected products include: Rapid7 Appspider Pro.