CVE-2025-3578

CVE-2025-3578 is a critical-severity vulnerability with a CVSS 4.0 base score of 9.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1039.

Key facts

Description

A malicious, authenticated user in Aidex, versions prior to 1.7, could list credentials of other users, create or modify existing users in the application, list credentials of users in production or development environments. In addition, it would be possible to cause bugs that would result in the exfiltration of sensitive information, such as details about the software or internal system paths. These actions could be carried out through the misuse of LLM Prompt (chatbot) technology, via the /api/<string-chat>/message endpoint, by manipulating the contents of the ‘content’ parameter.

Frequently asked questions

What is CVE-2025-3578?
A malicious, authenticated user in Aidex, versions prior to 1.7, could list credentials of other users, create or modify existing users in the application, list credentials of users in production or development environments. In addition, it would be possible to cause bugs that would result in the exfiltration of sensitive information, such as details about the software or internal system paths. These actions could be carried out through the misuse of LLM Prompt (chatbot) technology, via the /api/<string-chat>/message endpoint, by manipulating the contents of the ‘content’ parameter.
How severe is CVE-2025-3578?
CVE-2025-3578 has a CVSS 4.0 base score of 9.3, rated critical severity.
Is CVE-2025-3578 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (35th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-3578?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
Does CVE-2025-3578 have an EU (EUVD) identifier?
Yes. CVE-2025-3578 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-10934.
When was CVE-2025-3578 published?
CVE-2025-3578 was published on 2025-04-15 and last updated on 2026-06-17.

References

Other CWE-1039 vulnerabilities

Browse all CWE-1039 vulnerabilities →