CVE-2025-33138: 
IBM Aspera Faspex vulnerability analysis and mitigation

IBM Aspera Faspex versions 5.0.0 through 5.0.12 is vulnerable to HTML injection, identified as CVE-2025-33138. The vulnerability was discovered and disclosed on May 22, 2025. This security flaw affects the IBM Aspera Faspex software platform, specifically versions from 5.0.0 up to but not including version 5.0.12.1 (NVD, IBM Security).

The vulnerability is classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page - Basic XSS). It has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires low attack complexity, requires privileges, and needs user interaction for successful exploitation (IBM Security, NVD).

When successfully exploited, this vulnerability allows a remote attacker to inject malicious HTML code which, when viewed, would be executed in the victim's web browser within the security context of the hosting site. This could potentially lead to unauthorized access to sensitive information or enable the attacker to perform actions on behalf of the victim (Wiz).

IBM strongly recommends addressing the vulnerability by upgrading to version 5.0.12.1 which is available from IBM Container Registry. No alternative workarounds or mitigations are available for this vulnerability (IBM Security).