CVE-2025-13762 (GCVE-0-2025-13762)

Vulnerability from cvelistv5 – Published: 2025-11-27 02:50 – Updated: 2025-12-03 16:25
VLAI?
Summary
Improper Input Validation vulnerability in CyberArk CyberArk Secure Web Sessions Extension on Chrome, Edge allows Denial of Service when trying to starting new SWS sessions.This issue affects CyberArk Secure Web Sessions Extension: before 2.2.30305.
Severity ?
4.8 (Medium)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/AU:Y
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
CyberArk CyberArk Secure Web Sessions Extension Affected: 0 , < 2.2.30305 (custom)
Create a notification for this product.
Credits
Benjamen Lim Goh Jing Loon Sean Seah Tan Inn Fung Zhang Bosen
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13762",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-03T16:25:14.720836Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-03T16:25:21.056Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Chrome",
            "Edge"
          ],
          "product": "CyberArk Secure Web Sessions Extension",
          "vendor": "CyberArk",
          "versions": [
            {
              "lessThan": "2.2.30305",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Benjamen Lim"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Goh Jing Loon"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Sean Seah"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Tan Inn Fung"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Zhang Bosen"
        }
      ],
      "datePublic": "2025-11-27T02:49:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Input Validation vulnerability in CyberArk CyberArk Secure Web Sessions Extension on Chrome, Edge allows Denial of Service when trying to starting new SWS sessions.\u003cp\u003eThis issue affects CyberArk Secure Web Sessions Extension: before 2.2.30305.\u003c/p\u003e"
            }
          ],
          "value": "Improper Input Validation vulnerability in CyberArk CyberArk Secure Web Sessions Extension on Chrome, Edge allows Denial of Service when trying to starting new SWS sessions.This issue affects CyberArk Secure Web Sessions Extension: before 2.2.30305."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-469",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-469 HTTP DoS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "ATTACKED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/AU:Y",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-27T06:03:49.612Z",
        "orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd",
        "shortName": "GovTech CSG"
      },
      "references": [
        {
          "url": "https://chromewebstore.google.com/detail/cyberark-secure-web-sessi/ohfinlfcbaehgokpmkjcmkgdcbgamgln?hl=en"
        },
        {
          "url": "https://microsoftedge.microsoft.com/addons/detail/cyberark-secure-web-sessi/gmfjibhpaliafbemoifjjdkmgaknhohb?hl=en-US"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate SWS extension to v2.2.30305 or newer\u003c/span\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Update SWS extension to v2.2.30305 or newer"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Client-Side Denial of Service Condition in SWS Extension prior to version 2.2.30305",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd",
    "assignerShortName": "GovTech CSG",
    "cveId": "CVE-2025-13762",
    "datePublished": "2025-11-27T02:50:03.874Z",
    "dateReserved": "2025-11-27T02:49:11.941Z",
    "dateUpdated": "2025-12-03T16:25:21.056Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-13762\",\"sourceIdentifier\":\"cve_disclosure@tech.gov.sg\",\"published\":\"2025-11-27T03:15:58.613\",\"lastModified\":\"2025-12-01T15:39:33.110\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Input Validation vulnerability in CyberArk CyberArk Secure Web Sessions Extension on Chrome, Edge allows Denial of Service when trying to starting new SWS sessions.This issue affects CyberArk Secure Web Sessions Extension: before 2.2.30305.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cve_disclosure@tech.gov.sg\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"ATTACKED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"YES\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"cve_disclosure@tech.gov.sg\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"references\":[{\"url\":\"https://chromewebstore.google.com/detail/cyberark-secure-web-sessi/ohfinlfcbaehgokpmkjcmkgdcbgamgln?hl=en\",\"source\":\"cve_disclosure@tech.gov.sg\"},{\"url\":\"https://microsoftedge.microsoft.com/addons/detail/cyberark-secure-web-sessi/gmfjibhpaliafbemoifjjdkmgaknhohb?hl=en-US\",\"source\":\"cve_disclosure@tech.gov.sg\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-13762\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-03T16:25:14.720836Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-03T16:25:18.196Z\"}}], \"cna\": {\"title\": \"Client-Side Denial of Service Condition in SWS Extension prior to version 2.2.30305\", \"source\": {\"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Benjamen Lim\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Goh Jing Loon\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Sean Seah\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Tan Inn Fung\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Zhang Bosen\"}], \"impacts\": [{\"capecId\": \"CAPEC-469\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-469 HTTP DoS\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 4.8, \"Automatable\": \"YES\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/AU:Y\", \"exploitMaturity\": \"ATTACKED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"CyberArk\", \"product\": \"CyberArk Secure Web Sessions Extension\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.2.30305\", \"versionType\": \"custom\"}], \"platforms\": [\"Chrome\", \"Edge\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update SWS extension to v2.2.30305 or newer\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eUpdate SWS extension to v2.2.30305 or newer\u003c/span\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2025-11-27T02:49:00.000Z\", \"references\": [{\"url\": \"https://chromewebstore.google.com/detail/cyberark-secure-web-sessi/ohfinlfcbaehgokpmkjcmkgdcbgamgln?hl=en\"}, {\"url\": \"https://microsoftedge.microsoft.com/addons/detail/cyberark-secure-web-sessi/gmfjibhpaliafbemoifjjdkmgaknhohb?hl=en-US\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Input Validation vulnerability in CyberArk CyberArk Secure Web Sessions Extension on Chrome, Edge allows Denial of Service when trying to starting new SWS sessions.This issue affects CyberArk Secure Web Sessions Extension: before 2.2.30305.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper Input Validation vulnerability in CyberArk CyberArk Secure Web Sessions Extension on Chrome, Edge allows Denial of Service when trying to starting new SWS sessions.\u003cp\u003eThis issue affects CyberArk Secure Web Sessions Extension: before 2.2.30305.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"1a37b84a-8e51-4525-b3d6-87e2fae01dbd\", \"shortName\": \"GovTech CSG\", \"dateUpdated\": \"2025-11-27T06:03:49.612Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-13762\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-03T16:25:21.056Z\", \"dateReserved\": \"2025-11-27T02:49:11.941Z\", \"assignerOrgId\": \"1a37b84a-8e51-4525-b3d6-87e2fae01dbd\", \"datePublished\": \"2025-11-27T02:50:03.874Z\", \"assignerShortName\": \"GovTech CSG\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.