Authorization Flaw in Secure-upload Service from Apollo
CVE-2025-53709

5.4MEDIUM

Key Information:

Vendor: Palantir
Status: Com.palantir.secupload:secure-upload
Vendor: CVE Published:; 10 July 2025

What is CVE-2025-53709?

The Secure-upload service from Apollo is designed to validate single-use tokens for data submissions. However, under certain conditions, authenticated and privileged users can exploit the service by selecting email templates not intended for their enrollment. Additionally, these users may redirect submission channels to a dataset they control, compromising the integrity of the data submission process. Furthermore, unauthenticated users can exploit an endpoint to enumerate existing enrollments, revealing sensitive information. The affected service has been updated to version 0.815.0 to address these issues.

Affected Version(s)

com.palantir.secupload:secure-upload * < 0.815.0

References

https://cwe.mitre.org/data/definitions/285.html

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 10, 2025
Vulnerability Reserved
Jul 8, 2025

Palantir

What is CVE-2025-53709?

Affected Version(s)

References

CVSS V3.1

Timeline