What is IBM App Connect Enterprise and what does it do?

IBM App Connect Enterprise is a business integration platform used to connect applications, data, and services across hybrid cloud environments. The platform enables organizations to integrate various systems and facilitate data flow between different business applications.

What is CVE-2025-7783 and why is it critical?

CVE-2025-7783 has a critical CVSS score of 9.4 and involves the use of insufficiently random values in form-data. This vulnerability allows HTTP Parameter Pollution attacks that enable attackers to manipulate HTTP parameters and potentially access protected information. Successful exploitation could allow attackers to bypass security controls and gain unauthorized access to sensitive data processed by the integration platform.

How does CVE-2025-7338 affect IBM App Connect Enterprise operations?

CVE-2025-7338 (CVSS score 7.5) is a denial-of-service vulnerability in the Multer Node.js middleware. It allows attackers to trigger denial-of-service conditions by sending malformed multi-part upload requests, causing unhandled exceptions that crash the application process and potentially disrupt critical business integration workflows.

Which Node.js middleware components contain the vulnerabilities?

The vulnerabilities are found in three Node.js middleware components: Multer (CVE-2025-7338), form-data (CVE-2025-7783), and on-headers (CVE-2025-7339). These flaws impact the Connector Discovery and OpenAPI Editor, Discovery Connectors, and Runtime components of the IBM App Connect Enterprise platform.

What IBM App Connect Enterprise versions are affected by these vulnerabilities?

The affected versions include IBM App Connect Enterprise versions 12.0.1.0 through 12.0.12.16 and versions 13.0.1.0 through 13.0.4.1. Both major version branches require immediate updates to address these security flaws.

How can organizations fix the IBM App Connect Enterprise vulnerabilities?

Organizations running IBM App Connect Enterprise version 13.0.1.0 through 13.0.4.1 should upgrade to Fix Pack Release 13.0.4.2 immediately. Organizations running version 12.0.1.0 through 12.0.12.16 should apply Fix Pack Release 12.0.12.17.

What is CVE-2025-7339 and how does it impact IBM App Connect Enterprise?

CVE-2025-7339 (CVSS score 3.4) involves improper handling of unexpected data types in the on-headers middleware. This vulnerability may result in inadvertent modification of response headers when arrays are passed to the response.writeHead() function instead of objects. While less critical, this flaw could potentially be leveraged in combination with other attacks to manipulate HTTP communications.

Which specific middleware versions are vulnerable in IBM App Connect Enterprise?

The form-data vulnerability (CVE-2025-7783) affects versions prior to 2.5.4, 3.0.0 through 3.0.3, and 4.0.0 through 4.0.3. The Multer vulnerability (CVE-2025-7338) affects versions 1.4.4-lts.1 through 2.0.1. Specific vulnerable versions of the on-headers middleware were not disclosed.

What business risks do these IBM App Connect Enterprise vulnerabilities pose?

These vulnerabilities pose significant business risks including unauthorized access to sensitive data processed by integration workflows, manipulation of critical business data, disruption of integration processes through denial-of-service attacks, and potential bypassing of security controls. Given that App Connect Enterprise connects various business systems, a compromise could have widespread impact across an organization's IT infrastructure.

Advisory

IBM App Connect Enterprise patches multiple vulnerabilities, at least one critical

published: Sept. 1, 2025

Take action: If you're running IBM App Connect Enterprise, check if you can isolate it from the internet and make it accessible from trusted networks. If you can, you have a bit more time for a patch. If your IBM App Connect needs to be exposed to the internet, this is a high priority patch.

Learn More

IBM is reporting multiple security vulnerabilities in App Connect Enterprise that could allow remote attackers to manipulate data, access protected information, and disrupt business operations through denial-of-service attacks.

IBM App Connect Enterprise is a business integration platform used to connect applications, data, and services across hybrid cloud environments.

The vulnerabilities are caused from flaws in Node.js middleware components: Multer, form-data, and on-headers. The flaws impact the Connector Discovery and OpenAPI Editor, Discovery Connectors, and Runtime components of the platform.

Vulnerabilities summary:

CVE-2025-7783 (CVSS score 9.4) - Use of Insufficiently Random Values in form-data. This vulnerability allows HTTP Parameter Pollution attacks that enable attackers to manipulate HTTP parameters and potentially access protected information. The flaw affects form-data versions prior to 2.5.4, 3.0.0 through 3.0.3, and 4.0.0 through 4.0.3. Successful exploitation could allow attackers to bypass security controls and gain unauthorized access to sensitive data processed by the integration platform.
CVE-2025-7338 (CVSS score 7.5) - Denial of Service in Multer. This vulnerability in the Multer Node.js middleware allows attackers to trigger denial-of-service conditions by sending malformed multi-part upload requests. The vulnerability causes unhandled exceptions that crash the application process, potentially disrupting critical business integration workflows. The flaw affects Multer versions 1.4.4-lts.1 through 2.0.1.
CVE-2025-7339 (CVSS score 3.4) - Improper Handling of Unexpected Data Type in on-headers. This vulnerability in the on-headers middleware may result in inadvertent modification of response headers when arrays are passed to the response.writeHead() function instead of objects. While less critical than the other vulnerabilities, this flaw could potentially be leveraged in combination with other attacks to manipulate HTTP communications.

Affected versions include IBM App Connect Enterprise versions 12.0.1.0 through 12.0.12.16 and versions 13.0.1.0 through 13.0.4.1.

Organizations running IBM App Connect Enterprise version 13.0.1.0 through 13.0.4.1 should upgrade to Fix Pack Release 13.0.4.2 immediately.
Organizations running IBM App Connect Enterprise version 12.0.1.0 through 12.0.12.16 should apply Fix Pack Release 12.0.12.17.

IBM App Connect Enterprise patches multiple vulnerabilities, at least one critical

Read More
Critical vulnerability reported in Mitel MiCollab VoIP software
Broadcom patches critical VMware vCenter Server remote code …
Ivanti reports of another actively exploited Cloud Services …
CISA warns of active exploits of old Oracle …
Critical remote code execution flaw reported in MyQ …