CVE-2025-36857: 
AppSpider vulnerability analysis and mitigation

Rapid7 Appspider Pro versions below 7.5.021 suffer from a broken access control vulnerability in the application's configuration file loading mechanism. The vulnerability allows standard users to place files in directories belonging to other users or projects through the configuration file loading mechanism. The issue was discovered and disclosed on September 25, 2025, and was remediated in version 7.5.021 of the product (NVD, Rapid7 Release Notes).

The vulnerability stems from improper directory access management in the application's configuration file loading mechanism. The affected versions allow standard users to add custom configuration files, which are loaded in alphabetical order. These files can override or change the settings of the original configuration files. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The weakness has been categorized as CWE-276 (Incorrect Default Permissions) (NVD).

The vulnerability allows attackers to manipulate configuration settings by placing files in directories belonging to other users or projects. This can lead to unauthorized changes in application settings and potential security configuration bypasses (NVD).

The vulnerability has been fixed in Rapid7 Appspider Pro version 7.5.021. Users are advised to upgrade to this version or later to remediate the issue. The update includes improved scan configuration validation to prevent duplicate names and enhanced directory conflict handling (Rapid7 Release Notes).