Security Bulletin: IBM Event Streams is vulnerable to Server Side Request Forgery (SSRF) due to the axios component (CVE-2025-27152).

Summary IBM Event Streams is vulnerable to Server Side Request Forgery (SSRF) due to the axios component. In event streams, axios is used to make HTTP requests to the Event Streams REST Admin API, such as creating or listing Kafka topics. Vulnerability Details CVEID:CVE-2025-27152 DESCRIPTION: axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue impacts both server-side and client-side usage of axios. This issue is fixed in 1.8.2. CWE:CWE-918: Server-Side Request Forgery (SSRF) CVSS Source: IBM CVSS Base score: 7.5 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions Affected Product(s)| Version(s) —|— IBM Event Streams| 11.3.0 – 11.7.0 Remediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading Upgrade to IBM Event Streams 11.8.0 by following the upgrading and migrating documentation. Workarounds and Mitigations…Read More