CVE-2025-36097: 
IBM WebSphere Application Server vulnerability analysis and mitigation

IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty versions 17.0.0.3 through 25.0.0.7 are vulnerable to a denial of service vulnerability identified as CVE-2025-36097. The vulnerability was discovered and disclosed on July 16, 2025, and is caused by a stack-based overflow that affects systems with jsonp-1.0, jsonp-1.1, or jsonp-2.0 features enabled (IBM Security Bulletin).

The vulnerability is classified as a stack-based buffer overflow (CWE-121) that can lead to denial of service conditions. It has received a CVSS Base Score of 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it is network-accessible, requires low attack complexity, and needs no privileges or user interaction to exploit (IBM Security Bulletin).

When exploited, the vulnerability allows an attacker to send specially crafted requests that cause the server to consume excessive memory resources, potentially leading to a denial of service condition. This can affect the availability of the WebSphere Application Server and WebSphere Application Server Liberty services (IBM Security Bulletin).

IBM has released patches to address this vulnerability. For WebSphere Application Server Liberty 17.0.0.3 - 25.0.0.7, users should either upgrade to Fix Pack 25.0.0.8 or later (targeted for 3Q2025), or apply the Interim Fix that resolves PH67183. For WebSphere Application Server traditional V9.0.0.0 through 9.0.5.24, users should either upgrade to Fix Pack 9.0.5.25 or later, or apply the Interim Fix that resolves PH67120. No workarounds are available for this vulnerability (IBM Security Bulletin, ASEC Advisory).