CVE-2025-33137: 
IBM Aspera Faspex vulnerability analysis and mitigation

CVE-2025-33137 is a security vulnerability affecting IBM Aspera Faspex versions 5.0.0 through 5.0.12, discovered and disclosed on May 22, 2025. The vulnerability allows an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to client-side enforcement of server-side security (IBM Advisory, Wiz).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. It is classified under CWE-602 (Client-Side Enforcement of Server-Side Security), indicating that the application relies on client-side validation for security controls that should be enforced on the server side (IBM Advisory, NVD).

The vulnerability enables authenticated users to bypass security controls, potentially leading to unauthorized access to sensitive information and the ability to perform actions on behalf of other users in the system (IBM Advisory, Wiz).

IBM strongly recommends addressing the vulnerability by upgrading to Aspera Faspex version 5.0.12.1, which is available from IBM Container Registry. No alternative workarounds or mitigations have been provided (IBM Advisory).