CVE-2025-61884: 
NixOS vulnerability analysis and mitigation

CVE-2025-61884 is a high-severity vulnerability in Oracle E-Business Suite's Configurator product (Runtime UI component) affecting versions 12.2.3 through 12.2.14. The vulnerability was disclosed on October 11, 2025, and is remotely exploitable without requiring authentication. This security flaw allows unauthenticated attackers with network access via HTTP to compromise Oracle Configurator (Oracle Alert, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The flaw is characterized as a Server-Side Request Forgery (SSRF) vulnerability that exists in the Runtime UI component of Oracle Configurator. The technical assessment indicates that it is easily exploitable and requires no user interaction or privileges for successful exploitation (NVD, CISA KEV).

Successful exploitation of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. The high confidentiality impact rating indicates that attackers can gain access to sensitive resources within the affected systems (NVD, Oracle Alert).

Oracle strongly recommends that customers apply the security updates provided in the Patch Availability Document as soon as possible. Organizations are advised to upgrade to supported versions and apply all Security Alerts and Critical Patch Update security patches without delay. CISA has set a due date of November 10, 2025, for federal agencies to apply the vendor-provided mitigations (Oracle Alert, CISA KEV).

Security researchers and industry experts have expressed concern about the vulnerability, particularly given its addition to CISA's KEV catalog. Arctic Wolf has reported that Oracle released this as an emergency fix, highlighting the severity and urgency of the vulnerability (Arctic Wolf, Hacker News).