CVE-2025-13219 is a vulnerability identified in IBM Aspera Orchestrator versions 3.0.0 through 4.1.2, where sensitive information is transmitted using HTTP GET request parameters. This practice violates secure design principles because URLs, including query strings, are often logged by web servers, stored in browser histories, and sent in HTTP referrer headers to third-party sites. As a result, sensitive data such as authentication tokens, session identifiers, or confidential parameters can be inadvertently exposed to unauthorized parties who gain access to these logs or histories. The vulnerability is classified under CWE-598, which highlights the risk of using GET requests with sensitive query strings. The CVSS v3.1 base score is 5.9, indicating a medium severity level. The vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). There are no known exploits in the wild, and no patches are currently linked, suggesting mitigation relies on configuration changes or updates from IBM. The vulnerability primarily risks confidentiality by exposing sensitive data through common web mechanisms that are often overlooked in security controls.

The primary impact of this vulnerability is the potential disclosure of sensitive information such as credentials, tokens, or proprietary data embedded in URL query parameters. If attackers or unauthorized users gain access to server logs, browser histories, or referrer headers, they can harvest this information to facilitate further attacks such as unauthorized access, session hijacking, or data exfiltration. Organizations relying on IBM Aspera Orchestrator for secure file transfer and orchestration may face increased risk of data leakage, undermining confidentiality and trust. Although integrity and availability are not directly affected, the exposure of sensitive data can lead to broader security incidents. The medium severity rating reflects the need for attackers to have access to logs or browsing data, which may limit exploitation but does not eliminate risk, especially in environments with shared or poorly secured infrastructure. The lack of known exploits suggests limited current active threat but does not preclude future exploitation as awareness grows.

To mitigate this vulnerability, organizations should immediately review and modify their use of IBM Aspera Orchestrator to avoid transmitting sensitive information in URL query strings. This can include switching to POST requests for sensitive data, using secure cookies or headers for authentication tokens, and implementing URL rewriting or parameter encryption if feasible. Administrators should audit web server and proxy logs to identify exposure of sensitive data and restrict access to these logs to authorized personnel only. Browser history and referrer leakage can be minimized by implementing Content Security Policy (CSP) directives and referrer policy headers to limit referrer data sent to third parties. IBM should be contacted for official patches or updates, and organizations should monitor IBM security advisories for fixes. Additionally, network segmentation and strict access controls around systems handling Aspera Orchestrator logs can reduce the risk of unauthorized access. Regular security training to raise awareness about secure URL handling practices is also recommended.