IBM App Connect Enterprise fixes critically vulnerable third party module

IBM has addressed multiple security vulnerabilities in App Connect Enterprise, including a critical severity flaw that poses a significant threat to organizations using vulnerable versions. The security update addresses two distinct vulnerabilities affecting IBM App Connect Enterprise runtime, IBM App Connect Enterprise Discovery Connectors, and IBM App Connect Enterprise Connector Discovery and OpenAPI Editor.

Vulnerabilities summary

• CVE-2025-1302 (CVSS score 9.8): A  Remote Code Execution (RCE) vulnerability in the jsonpath-plus package before version 10.3.0 due to improper input sanitization. This vulnerability allows attackers to execute arbitrary code on the system by exploiting the unsafe default usage of 'eval=safe' mode. This vulnerability stems from an incomplete fix for a previously identified vulnerability (CVE-2024-21534) that was originally reported in December 2024.
• CVE-2025-24791 (CVSS score 4.4): An improper preservation of permissions vulnerability in the snowflake-connector-nodejs package. File permissions checks of the temporary credential cache could be bypassed by an attacker with write access to the local cache directory, affecting versions 1.12.0 through 2.0.1 on Linux systems.

The vulnerabilities impact the following IBM products and versions:

• IBM App Connect Enterprise versions 13.0.1.0 through 13.0.2.2
• IBM App Connect Enterprise versions 12.0.1.0 through 12.0.12.11

IBM strongly recommends addressing these vulnerabilities immediately by applying the appropriate fixes:

• For IBM App Connect Enterprise v13 (versions 13.0.1.0 - 13.0.2.2): Install Fix Pack Release 13.0.3.0 with APAR IT47820
• For IBM App Connect Enterprise v12 (versions 12.0.1.0 - 12.0.12.11): Install Fix Pack Release 12.0.12.12 with APAR IT47820

There are currently no known workarounds or mitigations for these vulnerabilities. IBM claims that there are no reports of attackers exploiting these vulnerabilities in the wild.