Broken Access Control in Rapid7 Appspider Pro Configuration
CVE-2025-36857

3.3LOW

Key Information:

Vendor: Rapid7
Status: Appspider Pro
Vendor: CVE Published:; 25 September 2025

What is CVE-2025-36857?

Rapid7 Appspider Pro versions prior to 7.5.021 are vulnerable to a broken access control issue, which arises from inadequate management of directory access. This flaw allows standard users to introduce custom configuration files in directories that should be restricted, potentially leading to unauthorized changes in critical settings. When these files are loaded in alphabetical order, they can overwrite the original configuration, posing serious security risks.

Affected Version(s)

Appspider Pro 0 < 7.5.021

References

https://docs.rapid7.com/insight/releasenotes-2025sep/#app...

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 25, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Thank you to Maksymilian Kubiak [Afine Team] for the responsible disclosure to Rapid7

JSON