CVE-2025-13691 is a vulnerability classified under CWE-497, indicating exposure of sensitive system information to an unauthorized control sphere. Specifically, IBM DataStage on Cloud Pak for Data versions 5.1.2 through 5.3.0 improperly include sensitive information in HTTP responses. This information leakage can be leveraged by an attacker with low privileges (PR:L) to impersonate other users within the system, effectively escalating their access rights. The vulnerability has a CVSS v3.1 base score of 8.1, reflecting high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and unchanged scope (S:U). The confidentiality and integrity impacts are high, while availability is unaffected. The flaw arises from insufficient sanitization or filtering of sensitive data in server responses, potentially exposing authentication tokens, session identifiers, or other user-specific details. Although no public exploits have been reported yet, the nature of the vulnerability makes it a significant risk for environments relying on IBM DataStage for data integration and processing within Cloud Pak for Data platforms. Given the critical role of DataStage in enterprise data workflows, unauthorized impersonation could lead to data breaches, unauthorized data manipulation, and compliance violations.

For European organizations, this vulnerability poses a substantial risk to data confidentiality and system integrity. IBM DataStage is widely used in industries such as finance, healthcare, and manufacturing, sectors that are heavily regulated under GDPR and other data protection laws. Exploitation could result in unauthorized access to sensitive personal or corporate data, leading to data breaches, reputational damage, and regulatory penalties. The ability to impersonate other users could allow attackers to bypass access controls, manipulate data pipelines, or disrupt business-critical data processing. This could also facilitate lateral movement within the network, increasing the risk of broader compromise. Organizations operating in highly regulated environments or handling sensitive personal data are particularly vulnerable to the consequences of this flaw.

Immediate mitigation should focus on upgrading IBM DataStage on Cloud Pak for Data to a version beyond 5.3.0 once patches are released by IBM. Until patches are available, organizations should implement strict network segmentation and access controls to limit exposure of the affected service to trusted internal networks only. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious HTTP responses or anomalous requests targeting DataStage endpoints can reduce risk. Monitoring and logging HTTP traffic for unusual patterns or sensitive data leakage is critical for early detection. Additionally, review and tighten user privilege assignments to minimize the number of users with low privileges who could exploit this vulnerability. Conduct regular security assessments and penetration tests focused on DataStage environments to identify potential exploitation attempts. Finally, ensure incident response plans include scenarios involving impersonation and unauthorized access to prepare for rapid containment.