Cyber Resilience

CVE-2025-50900

CriticalPublic PoC

Published: 25 August 2025

Published
25 August 2025
Modified
09 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0096 76.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50900 is a critical-severity Improper Access Control (CWE-284) vulnerability in Getrebuild Rebuild. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-50900 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) discovered in getrebuild/rebuild version 4.0.4, affecting the com.rebuild.web.RebuildWebInterceptor class and its preHandle function. The flaw stems from filter code that uses CodecUtils.urlDecode(request.getRequestURI()) to obtain the URL-decoded request path, then checks if it ends with "/error." If true, the interceptor is skipped by returning true; otherwise, it redirects to the /user/login API. This logic, tied to CWE-284 (Improper Access Control), enables bypasses that expose sensitive information or allow privilege escalation. The vulnerability was published on 2025-08-25.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting requests that manipulate the decoded URI path to match the "/error" condition or evade the login redirect, attackers bypass authentication controls in the interceptor, potentially accessing restricted resources and achieving high impacts on confidentiality, integrity, and availability.

Advisories detailing the issue, including potential mitigations, are available at https://racerz.notion.site/Rebuild-Vulnerability-1ede0e0074f280d8a906c38442a393f0 and https://www.notion.so/racerz/Rebuild-Vulnerability-1ede0e0074f280d8a906c38442a393f0?pvs=4.

EU & UK References

Vulnerability details

An issue was discovered in getrebuild/rebuild 4.0.4. The affected source code class is com.rebuild.web.RebuildWebInterceptor, and the affected function is preHandle In the filter code, use CodecUtils.urlDecode(request.getRequestURI()) to obtain the URL-decoded request path, and then determine whether the path endsWith /error.…

more

If so, execute return true to skip this Interceptor. Else, redirect to /user/login api. Allowing unauthenticated attackers to gain sensitive information or escalated privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in public-facing web interceptor (preHandle URI decoding logic) directly enables remote exploitation of the application for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-34291Shared CWE-284
CVE-2023-47539Shared CWE-284
CVE-2026-23899Shared CWE-284
CVE-2025-7016Shared CWE-284
CVE-2026-46822Shared CWE-284
CVE-2024-37566Shared CWE-284
CVE-2026-30689Shared CWE-284

Affected Assets

getrebuild
rebuild
≤ 4.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires enforcement mechanisms like web interceptors to correctly implement access control policies, directly preventing bypasses from flawed URI decoding and path suffix checks.

prevent

Mandates validation of inputs such as request URIs to block crafted requests that exploit decoding logic to evade authentication.

prevent

Ensures error handling logic, including special treatment of /error paths, does not compromise access controls or enable privilege escalation.

References