CVE-2025-11195: 
AppSpider vulnerability analysis and mitigation

Rapid7 AppSpider Pro versions below 7.5.021 suffer from a project name validation vulnerability, whereby an attacker can change the project name directly in the configuration file to a name that already exists. This issue stems from a lack of effective verification of the uniqueness of project names when editing them outside the application in affected versions. The vulnerability was discovered and disclosed in September 2025, affecting AppSpider Pro software versions prior to 7.5.021 (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity) and CWE-20 (Improper Input Validation). The technical issue involves the lack of proper validation when project names are modified directly in configuration files, allowing duplicate project names to exist (NVD).

The vulnerability allows an attacker with local access to modify project names in configuration files, potentially leading to naming conflicts and confusion in project management. The impact is limited to integrity (I:L) with no direct effect on confidentiality or availability of the system (NVD).

The vulnerability has been remediated in AppSpider Pro version 7.5.021. Users are advised to upgrade to this version or later to address the project name validation vulnerability. The fix was released as part of the September 2025 updates (Rapid7 Release Notes).