CVE-2025-14591 affects Perforce Delphix Continuous Compliance version 2025.3.0 and later, specifically related to the handling of End-of-Record (EOR) characters in delimited files. The vulnerability emerged following a bug fix aimed at correctly processing CR+LF (carriage return + line feed) sequences common in Windows and DOS environments. If the EOR configuration is incorrect, the software may inaccurately parse delimited files, causing personally identifiable information (PII) to remain unmasked during compliance scanning or data masking operations. This flaw is categorized under CWE-200 (Exposure of Sensitive Information) and can lead to unintended disclosure of sensitive data. The vulnerability is remotely exploitable without authentication or user interaction, with low attack complexity. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and limited confidentiality impact (VC:L). There is no impact on integrity or availability. No public exploits are known at this time, but the risk lies in potential non-compliance with data protection regulations and exposure of sensitive personal data. The issue is specific to version 2025.3.0, and no patches have been linked yet, so organizations must monitor vendor advisories. The vulnerability primarily affects environments processing Windows-style delimited files with PII, common in compliance and data governance workflows.

For European organizations, the exposure of unmasked PII due to this vulnerability can lead to significant regulatory and reputational risks, especially under GDPR and other data privacy laws. Failure to properly mask sensitive data can result in unauthorized disclosure, potentially triggering data breach notifications, fines, and loss of customer trust. Organizations relying on Delphix Continuous Compliance for automated data masking and compliance reporting may unknowingly expose sensitive information internally or to third parties. This could impact sectors with high volumes of PII such as finance, healthcare, and government. The medium severity reflects that while the vulnerability does not affect system availability or integrity, the confidentiality breach alone is critical in privacy-sensitive environments. Additionally, inaccurate parsing could undermine compliance audits and data governance efforts, leading to operational disruptions. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially if attackers develop targeted methods to exploit misconfigurations.

European organizations should immediately audit their Delphix Continuous Compliance configurations to ensure correct End-of-Record (EOR) settings for their delimited files, particularly verifying CR+LF handling. They should conduct thorough testing of data masking results to confirm that PII is properly obfuscated under current configurations. Until an official patch is released, consider implementing compensating controls such as restricting access to raw data outputs and increasing monitoring for unusual data access patterns. Engage with Perforce support to obtain guidance on interim fixes or configuration best practices. Incorporate validation steps in compliance workflows to detect unmasked PII early. Additionally, review and update incident response plans to address potential data exposure incidents stemming from this vulnerability. Organizations should also maintain up-to-date inventories of affected software versions and plan timely upgrades once patches become available. Finally, ensure that all relevant staff are informed about the vulnerability and trained to recognize potential impacts.