HCL DevOps Loop: Improper Auth via Expired/Tampered Tokens
CVE-2025-55278 Published on November 5, 2025

HCL DevOps Loop is susceptible to an improper authentication vulnerability
Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to gain unauthorized access to sensitive resources and perform actions with elevated privileges.

NVD

Vulnerability Analysis

CVE-2025-55278 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Types

Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Improper Verification of Cryptographic Signature

The software does not verify, or incorrectly verifies, the cryptographic signature for data.


Products Associated with CVE-2025-55278

Want to know whenever a new CVE is published for Hcl Devops Loop? stack.watch will email you.

Hcl Devops Loop
 

Affected Versions

HCL Software DevOps Loop Version 1.0.2 is affected by CVE-2025-55278

Exploit Probability

EPSS
0.02%
Percentile
6.50%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.