Auth deletion of reviews via client-side enforcement in IBM Doors Next 7.0.2-7.1
CVE-2025-2139 Published on October 12, 2025

IBM Engineering Requirements Management Doors Next security bypass
IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to delete reviews from other users due to client-side enforcement of server-side security.

Vendor Advisory NVD

Vulnerability Analysis

Attack Vector:
ADJACENT_NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

Client-Side Enforcement of Server-Side Security

The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.


Products Associated with CVE-2025-2139

Want to know whenever a new CVE is published for IBM Engineering Requirements Management Doors Next? stack.watch will email you.

IBM Engineering Requirements Management Doors Next
 

Affected Versions

IBM Engineering Requirements Management Doors Next:

Exploit Probability

EPSS
0.03%
Percentile
8.24%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.