CVE-2025-14591 is a vulnerability identified in Perforce's Delphix Continuous Compliance product, version 2025.3.0. The issue stems from a recent bug fix intended to properly handle CR+LF (Carriage Return + Line Feed) End-of-Record (EOR) characters commonly used in Windows and DOS delimited files. However, if the EOR configuration is incorrect, the software may parse delimited files inaccurately. This parsing flaw leads to a failure in masking personally identifiable information (PII) as intended by the compliance tool. Since Delphix Continuous Compliance is used to enforce data masking policies and ensure regulatory compliance, inaccurate parsing undermines its core functionality, potentially exposing sensitive data. The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and limited impact confined to confidentiality (VC:L). There are no known exploits in the wild, and no patches have been linked yet. The vulnerability does not affect integrity or availability but compromises confidentiality by leaving PII unmasked. This issue is particularly critical in environments handling sensitive personal data subject to GDPR and other privacy regulations. Organizations relying on Delphix Continuous Compliance must ensure correct EOR configurations and validate masking effectiveness to prevent data leakage.

The primary impact of CVE-2025-14591 is the exposure of unmasked personally identifiable information (PII) due to incorrect parsing of delimited files. For European organizations, this poses significant risks including non-compliance with GDPR and other data protection laws, which can lead to regulatory fines, legal liabilities, and reputational damage. The vulnerability undermines the effectiveness of data masking controls, potentially allowing unauthorized access to sensitive data during compliance reporting or data processing workflows. Since the flaw is in a compliance tool, it may affect multiple business units relying on accurate data masking, amplifying the scope of exposure. Although the vulnerability does not directly affect system availability or integrity, the confidentiality breach can facilitate further attacks such as identity theft or targeted phishing. The ease of exploitation without authentication and user interaction increases the risk profile, especially in environments where Delphix Continuous Compliance processes large volumes of PII. European organizations in finance, healthcare, and government sectors are particularly vulnerable due to their extensive use of compliance tools and stringent data privacy requirements.

To mitigate CVE-2025-14591, European organizations should first verify the End-of-Record (EOR) configuration settings within Delphix Continuous Compliance to ensure they correctly match the file formats being processed, especially for Windows and DOS style CR+LF sequences. Conduct comprehensive testing of data masking outputs to confirm that PII is properly masked under all file parsing scenarios. Monitor vendor communications closely for official patches or updates addressing this vulnerability and apply them promptly once available. Implement additional data protection layers such as encryption of sensitive data at rest and in transit to reduce exposure risk if masking fails. Review and enhance logging and monitoring to detect unusual access or data leakage patterns related to compliance reporting. Engage in regular audits of compliance tool configurations and data handling procedures to maintain masking integrity. Consider isolating or restricting access to compliance systems processing sensitive data to limit potential attack surfaces. Finally, provide training to compliance and security teams on the implications of EOR misconfigurations and the importance of validating masking effectiveness.