CVE-2025-2950Improper Neutralization of HTTP Headers for Scripting Syntax in IBM I

CWE-644Improper Neutralization of HTTP Headers for Scripting SyntaxCWE-1321Prototype Pollution5 documents5 sources
Severity
5.4MEDIUMNVD
GHSA6.9
EPSS
0.2%
top 61.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
IBM I
Timeline
PublishedApr 18
Latest updateApr 1

Description

IBM i 7.3, 7.4, 7.5, and 7.5 is vulnerable to a host header injection attack caused by improper neutralization of HTTP header content by IBM Navigator for i. An authenticated user can manipulate the host header in HTTP requests to change domain/IP address which may lead to unexpected behavior.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

CVEListV5ibm/i4 versions+3
NVDibm/i4 versions+3

🔴Vulnerability Details

3
GHSA
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`2026-04-01
GHSA
GHSA-8c8c-3855-2gv4: IBM i 72025-04-21
CVEList
IBM i improper HTTP header neutralization2025-04-18
CVE-2025-2950 — IBM I vulnerability | cvebase