CVE-2025-62181

Dec. 10, 2025, 9:16 p.m.

5.3
Medium

Description

Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html.

Product(s) Impacted

Vendor Product Versions
Pega
  • Pega Platform
  • 7.1.0-*, 24.1.4, 24.2.4, 25.1.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-204
Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a pega pega_platform 7.1.0-* / / / / / /
a pega pega_platform 24.1.4 / / / / / / /
a pega pega_platform 24.2.4 / / / / / / /
a pega pega_platform 25.1.1 / / / / / / /

References

https://support.pega.com/support-doc/pega-security-advisory-j25-vulnerability-remediation-note

Tags

CWE-204
security@pega.com
2025-12-10
CVE-2025-62181

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: Dec. 10, 2025, 9:16 p.m.
Last Modified: Dec. 10, 2025, 9:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@pega.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.