Cyber Resilience

CVE-2025-1395

HighUpdated

Published: 30 January 2026

Published
30 January 2026
Modified
06 June 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0030 21.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-1395 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Gov (inferred from references). Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-1395 is a Generation of Error Message Containing Sensitive Information vulnerability (CWE-209) in HeyGarson, a product from Codriapp Innovation and Software Technologies Inc. The flaw enables fuzzing for application mapping by leaking sensitive details through error messages. It affects all versions of HeyGarson through 30012026. The vulnerability received a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to its network accessibility, low complexity, and lack of required privileges or user interaction.

Remote, unauthenticated attackers can exploit this vulnerability over the network by sending crafted fuzzing inputs to the affected HeyGarson application. Successful exploitation allows attackers to map the application's structure and extract sensitive information from error responses, achieving high confidentiality impact through information disclosure and low integrity impact, potentially aiding further attacks like reconnaissance for targeted exploits.

The primary advisory is available at https://www.usom.gov.tr/bildirim/tr-26-0009. No patches or vendor fixes are confirmed, as the vendor was contacted multiple times to verify the fixing process but did not respond. Security practitioners should isolate or discontinue use of affected HeyGarson instances until further mitigation details emerge.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping. This issue affects HeyGarson: through 30012026. NOTE: The vendor was contacted several times to verifying fixing process but did…

more

not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1592 Gather Victim Host Information Reconnaissance
Adversaries may gather information about the victim's hosts that can be used during targeting.
Why these techniques?

Vuln enables remote info disclosure via error messages for app mapping/recon (T1592) on a public-facing app (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-46658Shared CWE-209
CVE-2023-38010Shared CWE-209
CVE-2025-71282Shared CWE-209
CVE-2026-43873Shared CWE-209
CVE-2025-47813Shared CWE-209
CVE-2024-11625Shared CWE-209
CVE-2026-42552Shared CWE-209
CVE-2025-31141Shared CWE-209
CVE-2026-42459Shared CWE-209
CVE-2024-12380Shared CWE-209

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-11 requires effective error handling that prevents the generation of error messages containing sensitive information, directly mitigating the disclosure enabling application mapping via fuzzing.

prevent

SI-15 mandates filtering of sensitive information prior to output to external systems, blocking the leakage of application details in error responses to crafted fuzzing inputs.

detect

AU-13 enables monitoring for events indicating information disclosure, such as sensitive data appearing in error messages during fuzzing attempts.

References