CVE-2025-33136: 
IBM Aspera Faspex vulnerability analysis and mitigation

IBM Aspera Faspex versions 5.0.0 through 5.0.12 contains a vulnerability (CVE-2025-33136) that could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to improper protection of assumed immutable data. The vulnerability was disclosed on May 22, 2025, and was assigned by IBM Corporation (IBM Advisory).

The vulnerability is classified as CWE-471 (Modification of Assumed-Immutable Data) and has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. This indicates that the vulnerability requires network access and low privileges to exploit, requires no user interaction, and can result in high confidentiality impact and low integrity impact (Wiz Analysis).

If exploited, this vulnerability allows authenticated users to obtain sensitive information or perform unauthorized actions on behalf of other users. The high CVSS score particularly emphasizes the significant confidentiality impact, indicating potential exposure of sensitive data (IBM Advisory).

IBM has released version 5.0.12.1 to address this vulnerability and strongly recommends upgrading to this version. The fix is available through the IBM Container Registry. No alternative workarounds have been provided (IBM Advisory).