CVE-2025-50900
Published: 25 August 2025
Summary
CVE-2025-50900 is a critical-severity Improper Access Control (CWE-284) vulnerability in Getrebuild Rebuild. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforcement mechanisms like web interceptors to correctly implement access control policies, directly preventing bypasses from flawed URI decoding and path suffix checks.
Mandates validation of inputs such as request URIs to block crafted requests that exploit decoding logic to evade authentication.
Ensures error handling logic, including special treatment of /error paths, does not compromise access controls or enable privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing web interceptor (preHandle URI decoding logic) directly enables remote exploitation of the application for unauthorized access.
NVD Description
An issue was discovered in getrebuild/rebuild 4.0.4. The affected source code class is com.rebuild.web.RebuildWebInterceptor, and the affected function is preHandle In the filter code, use CodecUtils.urlDecode(request.getRequestURI()) to obtain the URL-decoded request path, and then determine whether the path endsWith /error.…
more
If so, execute return true to skip this Interceptor. Else, redirect to /user/login api. Allowing unauthenticated attackers to gain sensitive information or escalated privileges.
Deeper analysisAI
CVE-2025-50900 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) discovered in getrebuild/rebuild version 4.0.4, affecting the com.rebuild.web.RebuildWebInterceptor class and its preHandle function. The flaw stems from filter code that uses CodecUtils.urlDecode(request.getRequestURI()) to obtain the URL-decoded request path, then checks if it ends with "/error." If true, the interceptor is skipped by returning true; otherwise, it redirects to the /user/login API. This logic, tied to CWE-284 (Improper Access Control), enables bypasses that expose sensitive information or allow privilege escalation. The vulnerability was published on 2025-08-25.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting requests that manipulate the decoded URI path to match the "/error" condition or evade the login redirect, attackers bypass authentication controls in the interceptor, potentially accessing restricted resources and achieving high impacts on confidentiality, integrity, and availability.
Advisories detailing the issue, including potential mitigations, are available at https://racerz.notion.site/Rebuild-Vulnerability-1ede0e0074f280d8a906c38442a393f0 and https://www.notion.so/racerz/Rebuild-Vulnerability-1ede0e0074f280d8a906c38442a393f0?pvs=4.
Details
- CWE(s)