CVE-2025-33096 is a vulnerability identified in IBM Engineering Requirements Management DOORS Next versions 7.0.2, 7.0.3, and 7.1. The issue arises from CWE-674, which is characterized by uncontrolled recursion that can lead to resource exhaustion and denial of service. Specifically, an authenticated user can upload specially crafted files that trigger uncontrolled recursive processing within the application. This recursive behavior can cause the application to consume excessive CPU or memory resources, ultimately leading to a denial of service condition where legitimate users are unable to access the service. The vulnerability requires the attacker to have valid credentials (privileges) to upload files, but does not require any further user interaction. The attack vector is network-based, meaning the attacker can exploit the vulnerability remotely once authenticated. The CVSS v3.1 score of 6.5 reflects a medium severity, with no impact on confidentiality or integrity, but a high impact on availability. Currently, there are no known exploits in the wild and no official patches have been published, indicating that organizations should be vigilant and prepare mitigation strategies. The vulnerability is particularly relevant for organizations that use IBM DOORS Next for requirements management in software and systems engineering, as denial of service could disrupt critical development workflows.

For European organizations, the primary impact is a denial of service that can disrupt engineering and development processes relying on IBM DOORS Next. This can delay project timelines, reduce productivity, and potentially impact compliance with regulatory requirements in industries such as automotive, aerospace, defense, and manufacturing where requirements traceability is critical. Since the vulnerability requires authentication, insider threats or compromised credentials pose a significant risk. The lack of confidentiality or integrity impact limits data breach concerns, but availability interruptions can have cascading effects on dependent systems and teams. Organizations with large-scale deployments or those integrating DOORS Next into continuous integration/continuous deployment (CI/CD) pipelines may experience amplified disruption. The absence of known exploits reduces immediate risk, but the medium severity score and the critical nature of affected processes warrant proactive mitigation.

1. Restrict file upload permissions to only trusted and necessary users to reduce the attack surface. 2. Implement strict input validation and scanning of uploaded files to detect and block malformed or suspicious content that could trigger recursion. 3. Monitor application resource usage (CPU, memory) closely to detect abnormal spikes that may indicate exploitation attempts. 4. Enforce strong authentication and credential management policies to prevent unauthorized access. 5. Isolate the DOORS Next environment where possible to limit impact scope. 6. Engage with IBM support and subscribe to security advisories to obtain patches or updates as soon as they become available. 7. Consider implementing rate limiting or upload size restrictions to mitigate resource exhaustion risks. 8. Conduct regular security assessments and penetration testing focused on file upload functionalities. 9. Prepare incident response plans specifically addressing denial of service scenarios in engineering tools. 10. Educate users about the risks of uploading untrusted files even within authenticated sessions.